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PHASE  II  FINAL  REPORT 

COMPUTERIZED  SITE  SECURITY  MONITOR  AND  RESPONSE  SYSTEM 

by 

R.  T.  Moore,  R.  J.  Carpenter , A.  W.  Holt, 

A.  L.  Koenig  and  R.  B.  J.  Warnar 


INTRODUCTION 

The  Computerized  Site  Security  Monitor  and  Response  Sys- 
tem (CSSMRS)  was  conceived  as  an  integrated,  state-of-the-art, 
computer  based  system  to  enhance  and  improve  the  overall  physical 
security  of  storage  sites  for  nuclear  weapons  and  materials. 
This  would  result  from  the  interconnection  of  all  site  security 
systems  including  intrusion  detection  equipment,  duress  alarms, 
guard  radio  and  telephone  systems,  guard  activity  sensors,  access 
control  equipments,  meteorological  and  environmental  sensors  and 
deterrent  systems  to  a distributed  processing  network  of  comput- 
ers. These  would  be  expected  to  provide  timely,  accurate  and 
unambiguous  information  about  the  site  security  status  or  the 
progress  of  an  attack  or  intrusion  attempt.  To  the  extent  that 
is  feasible,  appropriate  response  initiatives  would  be  prepro- 
grammed into  the  system.  Changes  in  site  security  status  and  the 
resulting  response  actions  would  be  automatically  reported  up- 
channel  to  higher  command  levels  and  backup  and  reserve  forces 
would  be  automatically  called  out  in  the  event  of  certain  iden- 
tifiable threat  situations,  particularly  those  in  which  continued 
survival  of  local  guard  forces  might  be  doubtful. 


Work  on  the  CSSMRS  project  is  bei 
phases.  In  Phase  I,  research  was  conduc 
plicability  and  feasibility  of  certain 
develop  the  broad  outlines  of  the  system 
specific  areas  where  further  research 
would  be  required.  During  that  phase  it 
CSSMRS  would  incorporate  a distributed  ne 
telecommunications  with  heavy  emphasis  o 
ful  degradation  in  the  face  of  malfunctio 
curring  or  induced  by  an  adversary.  Th 
evolving  Forced  Entry  Deterrent  Systems 
and  recommendations  were  made  in  suppo 
taggants  and  trace  material  detection  sys 
detection  and  apprehension  of  an  adver 
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exposed  to  a FEDS.  The  desirability  of  monitoring  environmental 
sensors  in  order  to  more  effectively  identify  nuisance  alarms  was 
reaffirmed  and  research  and  development  of  the  correlation  tech- 
niques to  effectively  utilize  this  environmental  data  was  recom- 
mended. Interfaces  with  intrusion  alarm  systems  and  with  alarm 
assessment  systems  were  studied  and  technical  alternatives  for 
their  integration  in  a CSSMRS  were  identified.  These  and  other 
relevant  findings  are  reported  in  NBSIR  77-1262.  (See  list  of 
references . ) 


In  Phase  II,  the  various  technical  alternatives  were 
evaluated,  and  the  physical  and  functional  attributes  of  the 
various  subsystems  and  components  were  identified.  Laboratory 
tests  and  experiments  were  conducted  as  required  to  support  the 
selection  of  communications  media  and  protocols,  processor 
characteristics  and  configurations,  response  times,  and  the  as- 
pects of  reliability  and  survivability.  Processes  and  techniques 
were  invoked  to  minimize  the  influence  of  site  dependent  factors 
and  to  permit  orderly  recovery  from  processor  or  communications 
failures.  These  and  other  related  activities  resulted  in  a sys- 
tem definition  that  is  reflected  in  the  formal  CSSMRS  Prototype 
Specifications  and  in  this  report. 


In  Phase  III,  one 
be  procured  and  installed 
ev  al ua  t ion . 


or  more  prototype  CSSMRS 
at  appropriate  sites  for 


systems  will 
field  test  and 
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DEFINITIONS 


The  following  definitions  are  used  in  this  report: 

AUGMENTATION  FORCE:  Troops  stationed  outside  the  SITE.  The  Aug- 
mentation Force  can  be  expected  to  arrive  at  the  EXCLUSION  AREA 
within  4 hours  of  the  time  that  the  summons  is  sent. 

CENTRAL  UNIT  (CU):  The  computer  complex  which  is  housed  within 
the  SSCC , together  with  its  associated  communications  components. 

ELECTRONIC  LOCK:  A method  used  for  opening  the  door  to  a 
Storage  Area.  It  is  activated  by  an  electronic  key  carried  by  one 
of  the  persons  authorized  to  enter  the  Storage  Area. 

EXCLUSION  AREA:  Any  designated  area  immediately  surrounding  one 
or  more  nuclear  weapons/ sys terns . Normally,  the  boundaries  of  the 
area  are  the  walls,  floor  and  ceiling  of  a structure  or  are  del- 
ineated by  a permanent  or  temporary  barrier. 

FORCED  ENTRY  DETERRENT  SYSTEMS  (FEDS):  This  acronym  is  defined 
by  the  Defense  Nuclear  Agency  (DNA)  as  a family  of  deterrent  sys- 
tems that,  when  activated,  will  have  a measurable  impact  on  one 
or  (preferably)  more  of  the  five  human  senses  (sensory  capabili- 
ties) of  either  the  security  personnel  or  the  adversary  (prefer- 
ably both) . The  desired  impact  on  an  adversary  is  to  impair  his 
acuity  or  his  will  or  ability  to  continue  an  attack.  The  desired 
impact  on  security  personnel  is  to  enhance  their  capability  of 
detecting,  recognizing,  and  deterring  the  adversary  objectives. 
In  this  report,  the  principal  concern  is  with  FEDS  that  impact 
the  senses  of  the  adversary. 

GUARD  CONTROL  STATION:  All  the  equipment  necessary  for  a guard 
to  interface  with  CSSMRS.  This  includes  Digital  Display  Units, 
Geographical  Display  Units,  television  assessment  controls, 
television  assessment  monitors,  and  communication  controls. 


HIGHER  HEADQUARTERS:  The  remote  command  unit  that  is  author- 

ized to  dispatch  the  Augmentation  Force.  It  requires  the  com- 
munications facilities  over  which  security  status  information 
about  the  site  is  conveyed. 


PERIMETER  STATION:  A secure  housi 
which  contains  a Remote  Unit, 
alarm  assessment  equipment,  and  Fo 
that  are  associated  with  one  or  mo 

REMOTE  UNIT  (RU) : All  of  the 
which  are  associated  with  eithe 
Perimeter  Station.  This  includes  a 
try  Deterrent  System(s) , Safe/Arm 


ng  , near  a perimeter  fence, 
It  interfaces  with  the  sensors, 
reed  Entry  Deterrent  Systems 
re  perimeter  segments. 

electronic  CSSMRS  components 
r a single  magazine  or  a single 
Remote  Computer,  Forced  En- 
Swi tches ,senso r s , sensor  inter- 


3 


faces,  Electronic  Lock,  Manual  Override,  digital  communications 
components,  television  camera  with  controls,  lighting,  and  TV 
interfaces,  power  supplies,  emergency  batteries  and  battery 
chargers. 

RESPONSE  FORCE:  A group  of  guards  located  outside  of  the  Exclu- 
sion Area  but  inside  the  SITE.  The  Response  Force  can  be  expected 
to  arrive  within  5 minutes  of  the  time  that  the  summons  is 
sent . 

SAFE/ARM  SWITCHES:  A combination  of  electrically  and  mechani- 
cally operated  switches  which  allow  or  prevent  the  firing  of 
the  FEDS.  These  are  supported  by  their  own  independent  standby 
emergency  power  source.  The  Safe/Arm  Switches  are  primarily  for 
the  protection  of  authorized  personnel. 

SITE:  The  general  large  area  which  includes  all  components  ex- 

cept the  Augmentation  Force. 

SITE  SECURITY  CONTROL  CENTER  (SSCC) : A facility  from  which 

control  of  site  sentry  and  response  forces  is  exercised.  This 
facility  includes  the  Central  Unit  (CU)  and  one  or  more  Guard 
Control  Stations. 

STORAGE  AREA:  The  area  within  the  boundary  fence  (or  outer  boun- 

dary fence  where  two  are  installed)  where  nuclear  weapons  may  be 
retained  for  use  elsewhere. 
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GENERAL  SYSTEM  DESCRIPTION 
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It  is  necessary  at  this  point  to  explain  that  CSSMRS  is 
not  designed  to  protect  an  area  against  overwhelming  force.  For 
good  reasons,  however,  an  exact  definition  of  "overwhelming 
force"  is  not  specified.  In  general,  the  type  of  attack  CSSMRS 
is  designed  to  defeat  are  those  attacks  for  which  advance 
warning  may  not  have  been  given  by  intelligence  gathering  agen- 
cies. (See  DoD  5210. 41M  "Nuclear  Weapons  Security  Manual"  for 
more  information.) 

In  the  past,  protection  of  areas  against  surprise  attacks 
by  "small"  forces  has  been  accomplished  by  the  use  of  strongly 
constructed  buildings,  fences,  and  most  importantly,  guard 
patrols.  Human  guards,  although  excellent  in  terms  of  flexibil- 
ity, are  notoriously  poor  when  operating  as  sensors  in  a dull, 
routine  environment.  Because  of  this,  electronic  sensors  have 
been  replacing  human  sensors  in  many  locations  during  the  past 
decade.  Because  of  sophisticated  adversary  knowledge,  these 
sensors  have  had  to  be  upgraded  often,  with  different  types  of 
sensors  being  used  in  combination  to  protect  against  the  obvious 
methods  of  defeating  the  individual  sensors.  Because  of  the 
proliferation  of  sensors  and  sensor  types  and  be-  cause  of  non- 
standardization of  interfaces,  many  systems  today  lack  in- 
tegrated alarm  reporting  and  display  methods. 


There  are  many  other  ac 
at  such  a secure  area  besides  m 
are  the  testing  of  the  sensors 
use  of  television  for  assessm 
to  patrols  and  to  alarm  monitor 
Headquarters,  maintenance  of  d 
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rent  Systems  (FEDS)  adds  ano 
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tivities  that  must  be  carried  out 
onitoring  the  sensors.  Among  them 
(which  should  be  done  frequently)  , 
ent  purposes,  assignment  of  guards 
ing  , regular  reporting  to  Higher 
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ther  dimension  of  complexity 
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The  rapidly  decreasing  cost  of  computer  hardware  and  di- 
gital communications  has  made  it  possible  to  design  an  affordable 
system  in  which  many  of  the  above  activities  are  carried  out  au- 
tomatically. This  report  is  intended  to  provide  a definitive 
description  of  such  a system,  which,  when  supported  by  specifica- 
tions, can  serve  as  a basis  for  the  procurement  of  a prototype 
for  field  test  and  evaluation. 

Desc  r i pt ion 

Figure  1 shows  the  block  diagram  of  a generalized 
CSSMRS.  It  incorporates  a number  of  Remote  Units  (RU)  and  a 
Site  Security  Control  Center  (SSCC)  containing  a Central  Unit 
(CU)  and  two  Guard  Control  Stations  (GCS)  . It  interacts  with  a 
Response  Force  and  an  Augmentation  Force. 

The  RUs  are  physically  located  within  magazines  or 
within  Perimeter  Stations.  The  Response  Force  is  usually  com- 
posed of  off-duty  guards,  while  the  Augmentation  Force  is  usual- 
ly located  considerably  farther  away. 

In  general,  each  RU  contains  a Remote  Computer  which  ac- 
cepts signals  from  a group  of  sensors  and  communicates  the  status 
of  those  sensors  to  the  CU.  Each  RU  also  has  provision  for  test- 
ing its  sensors,  upon  command  from  the  CU.  Each  RU  also  has  con- 
trol of  one  or  more  Closed  Circuit  Television  Camera(s)  (CCTV) 
and  these  cameras  may  be  activated  by  the  CU  or  from  a Guard 
Control  Station,  and  their  output  may  be  viewed  at  either  Guard 
Control  Station.  Cameras  for  assessing  perimeter  alarms  will 
normally  be  mounted  in  pairs  on  towers,  with  fixed  orientation 
and  field  of  view.  Cameras  at  magazine  sites  will  normally  be 
mounted  within  the  magazines  and  may  be  equipped  with  pan,  tilt, 
zoom,  focus  and  iris  controls  as  appropriate  to  the  individual 
installation.  RUs  will  have  control  over  (and  testing  responsi- 
bility for)  a group  of  Forced  Entry  Deterrent  Systems  (FEDS) 
situated  within  their  area.  The  CU  can  order  testing,  arming,  and 
firing  of  the  FEDS  over  digital  communication  lines.  If  commun- 
ication is  interrupted,  an  RU  may  arm  and  fire  its  own  FEDS  in 
response  to  local  alarms. 

The  SSCC  contains  the  Central  Unit,  plus  two  Guard 
Control  Stations.  Following  the  "two-man  rule",  all 

displays  and  controls  must  be  duplicated  in  such  a way  that  two 
guards,  physically  separated  from  each  other,  can  independently 
operate  and  control  the  CSSMRS.  It  is  absolutely  necessary  that 
all  guards  have  a high  degree  of  faith  in  the  reliability  of  the 
central  computer  complex  and  that  they  automatically  follow  its 
orders  To  establish  this  confidence,  it  is  required  that  the 
Mean  Time  Between  Failure  (MTBF)  of  the  central  computer  be 
long  enough  so  that  it  is  extremely  rare  for  any  guard  to 
remember  a failure.  It  is  specified  that  this  high  MTBF  be  ac- 
complished by  using  triply  redundant  computers  together  with  ma- 
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Communications  between  the  CU  and  the  RUs  is  by  fiber  op- 
tic digital  data  links  operating  at  a signalling  rate  of  56,000 
bits  per  second.  The  CU  is  equipped  with  one  or  more  communica- 
tions microprocessor  "front  ends",  each  of  which  handles  a max- 
imum of  24  RUs,  polling  each  in  sequence,  and  reporting  any 
changes  in  status  to  the  CU.  Advanced  Digital  Communications 
Control  Procedures  (ADCCP) , ANSI  X3.66,  are  used  as  link  control 
protocol.  The  56,000  bps  signalling  rate,  together  with  the  lim- 
itation of  a maximum  of  24  stations  to  a given  loop,  usually  per- 
mits an  alarm  response  time  of  0.1  second  or  less.  Multiple 
loops  are  provided,  each  operating  under  control  of  its  individu- 
al communications  microprocessor,  when  more  than  24  RU's  are 
utilized  on  a given  site.  The  fiber  optic  data  links  are  ar- 
ranged in  a dual  loop  Crossfire  arrangement  which  permits  contin- 
ued operation  in  spite  of  a cut  cable  or  the  insertion  of  a jam- 
ming signal  at  any  single  location.  The  detection  of  the  oc- 
currence of  a cut  or  jam  and  the  identification  of  the  loop  leg 
where  it  is  located  can  be  accomplished  in  less  than  a second. 


In  the  event  that  communication  between  the  CU  and  one  or 
more  RUs  is  lost  (as  evidenced  by  the  failure  of  a RU  to  receive 
a polling  message  during  a time  interval  of  0.3  second) , the  af- 
fected RU  ( s)  enter  an  autonomous  mode  of  operation  in  which  they 
will  automatically  actuate  appropriate  FEDS  in  the  event  a criti- 
cal group  of  intrusion  detectors  are  alarmed.  Recovery  from  the 
autonomous  mode  of  operation  can  be  made  by  restoration  of  regu- 
lar communications  with  the  CU.  When  access  to  the  area  protect- 
ed by  the  autonomous  RU  is  necessary  in  order  for  maintenance  ac- 
tions to  be  accomplished  to  effect  this  recovery,  it  is  possible 
to  employ  a mechanical  override  system  to  inhibit  the  automatic 
actuation  of  FEDS.  This  system  is  manually  operated  and  is  capa- 
ble of  inhibiting  the  FEDS  only  after  the  generation  of  a high- 
powered  audible  alarm  and  the  passage  of  a predetermined  minimum 
period  of  time. 


The  CSSMRS  also  provides  improved  control  of  access  to 
secure  magazines  through  the  use  of  an  electronic  key  system. 
This  involves  the  matching  of  a random  number  generated  by  the  CU 
and  transmitted  to  the  appropriate  storage  magazine  by  the  data 
link  to  the  associated  RU  with  that  same  number  as  loaded  into  a 
portable  electronic  device  that  is  issued  to  the  authorized  per- 
sonnel. In  both  cases  the  random  number  is  erased  after  a 
predetermined  period  of  time,  and  any  attempt  to  open  an  elec- 
tronic lock  with  an  invalid  key  generates  an  alarm  condition. 

To  the  extent  feasible,  CCTV  is  used  to  assess  alarm  con- 
ditions. Pyroelectric  vidicons  are  preferred  for  use  in  CCTV  as- 
sessment cameras  at  perimeter  stations  since  they  are  sensitive 
to  the  infrared  radiation  from  living  bodies  and  do  not  have  to 
depend  on  the  use  of  artificial  lighting.  Where  appropriate,  ma- 
gazine assessment  cameras  can  be  equipped  with  pan,  tilt,  zoom, 
focus,  and  iris  controls  that  are  motor  driven  and  actuated  from 
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of  functional  system  command  keys  and  controls.  Certain  guard 
activities  are  monitored  — e.g.,  alarm  acknowledgement  --  and 
failure  of  the  guard  forces  to  comply  with  established  procedures 
will  cause  automatic  backup  measures  to  be  invoked. 

Certain  naturally  occurring  environmental  disturbances 
are  monitored  by  special  sensors  associated  with  the  CU.  To  the 
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DETAILED  SYSTEM  DESCRIPTION 


Digital  Data  Communications  System 


The  selection  of  the  digital  data  communications  system 
for  use  in  the  CSSMRS  has  emerged  only  after  consideration  of  a 
large  number  of  factors  that  are  significant  to  the  performance 
of  the  overall  system.  These  have  included  response  times,  error 
characteristics,  freedom  from  interference,  security  and  integri- 
ty, reliability  and  maintainability  and  cost.  The  parameters 
that  influence  these  performance  factors  include  the  network  to- 
pology (star,  multi-drop,  ring,  etc.)  , transmission  medium 
(twisted  pair,  coaxial  cable,  optical  fiber,  etc.)  , modulation 
system,  coding,  signalling  rate,  and  communications  control  pro- 
tocol as  a minimum.  Any  choice  is  likely  to  have  both  advantages 
and  disadvantages  and  the  final  selection  is  thus  a compromise 
that  is  hopefully  optimal  in  some  overall  sense. 


Network  topologies  that  were  considered  included  the 

star,  multi-drop,  ring  and  a novel  configuration  named 
"Crossfire".  The  star  arrangement  provides  an  individual  commun- 
ications path  from  the  central  station  to  each  remote  station; 

thus,  breaking  any  path  will  isolate  only  a single  station  . Its 
disadvantages  are  the  large  amount  of  "cable"  that  are  required 
and  the  need  for  either  a port  per  circuit  or  else  complex  cir- 
cuit switching  facilities  (either  virtual  or  real)  at  the  central 
station.  Multiple  drop  arrangements  where  all  of  the  remote  sta- 
tions are  bridged  across  a single  communications  circuit  are  much 
more  economical  in  the  use  of  "cable",  but  a single  cut  can  frag- 
ment the  network,  and  a single  jam  or  "lockup"  at  a station  can 
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is  computed , and  if  correct,  the  frame  is  accepted.  In  addition, 
frames  from  both  the  CW  and  CCW  loops  are  stored  for  a period  of 
no  more  than  the  differential  propagation  and  repeater  delay  and 
are  then  compared,  bit  for  bit.  The  RU  reacts  to  the  frame  in  a 
manner  that  depends  upon  the  results  of  the  FCS  and  the  compari- 
son of  the  frame  contents.  If  the  FCS  of  both  is  correct  and  the 
comparisons  agree,  the  addressed  RU  must  send  a normal  reply  to 
the  frame  and  perform  any  command  contained  in  the  frame.  If 
only  one  FCS  is  correct  (comparison  will  always  disagree  when 
this  occurs)  , the  RU  must  report  the  loop  on  which  it  did  not  re- 
ceive a frame  or  on  which  the  FCS  was  incorrect  and  must  perform 
any  command  contained  in  the  frame  with  the  correct  FCS.  If  the 
FCS  is  incorrect  in  the  frames  received  over  both  loops,  the  RU 
must  respond  with  a "frame  reject"  message  and  ignore  the  con- 
tents of  both  frames.  If  both  frames  are  received  with  correct 
FCS's  but  their  contents  do  not  agree,  this  is  an  indication  of  a 
sophisticated  attempt  at  spoofing.  Here  the  RU  must  also  respond 
with  a "frame  reject"  message  and  ignore  the  contents  of  both 
frames  and  if  this  condition  is  repeated  for  three  successive 
polling  cycles,  the  RU  enters  the  autonomous  mode. 
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upon  the  method  of  implementation,  may  add  overhead  bits  to  the 
transmitted  data  stream.  Fiber  optics,  on  the  other  hand,  is  an 
emerging  technology.  New  components,  such  as  connectors,  power 
splitters,  etc.,  are  being  regularly  announced.  Both  the  "cable" 
and  the  supporting  hardware  is  more  costly  than  the  metallic 
counterparts,  but  it  has  demonstrated  a clear  superiority  in 
several  test  projects  constructed  by  telephone  companies.  It  is 
virtually  immune  to  influence  from  electromagnetic  interference 
or  environmental  factors  such  as  moisture  and  temperature.  It 
does  not  radiate  energy  that  can  be  surreptitiously  picked  up, 
and  the  difficulty  of  tapping  the  very  small  fiber  to  extract 
data  or  inject  false  signals  is  very  great.  So  much  so,  in  fact, 
that  it  is  considered  that  the  use  of  cryptography  to  protect  the 
integrity  of  transmissions  on  the  cable  that  are  totally  within 
the  storage  area  does  not  appear  to  be  necessary. 
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One  of  the  authors  of  this  report  has  had  extensive  ex- 
perience with  coaxial  cable  telecommunications.  In  addition,  two 
types  of  fiber  optic  systems  have  been  procured  and  have  been 
tested  and  analyzed  on  an  experimental  basis.  As  a result  of  his 
experience,  and  after  careful  consideration  of  all  available 
data,  fiber  optics  has  been  chosen  for  use  in  implementing  the 
dual  CROSSFIRE  loop  configuration  within  the  storage  area.  Its 
use  was  considerd  for  transmission  of  video  information  from  the 
CCTV  alarm  assessment  system,  but  here  the  ready  availability  of 
cable  TV  components  coupled  with  the  less  stringent  demands  for 
data  integrity  and  noise  immunity  favor  the  use  of  the  coaxial 
cable.  Further,  the  availability  of  CATV  frequency  division  mul- 
tiplex equipment  in  24  channel  increments  tends  to 
convenient  upper  limit  to  the  number  of  RUs  on 
loop.  It  should  be  emphasised  that  this  size  of  24 


establish  a 
a "Crossfire" 
stations  per 


loop  is  really  much  more  a convenience  than  an  absolute  limit. 


The  selection  of  fiber  optic  cable  as  the  transmission 
medium  for  the  digital  data  communications  network  almost  au- 
tomatically limits  the  choice  of  modulation  to  amplitude  shift 
keying  (ASK)  where  the  presence  of  an  optical  signal  represents 
one  condition,  and  the  absence  another.  Further,  since  the 
available  bandwidth  of  the  optical  fiber  is  much  greater  than  is 
likely  to  be  needed,  the  choice  of  coding  (NRZ,  NRZI,  Manchester 
or  other)  can  be  based  on  convenience  rather  than  conservation. 


Control  Procedures 


With  respect  to  communications  control  protocol.  Advanced 
Digital  Communications  Control  Procedures  (ADCCP),  ANSI  X3.66,  is 
a logical  choice  for  a number  of  reasons.  It  is  compact,  effi- 
cient, code  independent  and  incorporates  powerful  error  control 
procedures.  It  is  expected  to  be  very  widely  used  as  it  is  a 
super-set  of  the  protocol  which  has  been  introduced  by  some  of 
the  leading  computer  manufacturers,  and  with  only  minor  varia- 
tions has  been  adopted  as  an  international  standard.  Using  this 
protocol  a Primary  Station  has  primary  link  control  capability 
and  issues  command  frames  to,  and  receives  response  frames  from. 
Secondary  Stations  on  the  link.  In  the  CSSMRS  implementation  of 
ADCCP  there  will  be  a communications  microprocessor  located  at 
the  CU  that  is  associated  with  each  "Crossfire"  loop  that  func- 
tions as  the  Primary  Station,  while 
will  function  as  Secondary  Stations, 
that  takes  the  following  form: 


each  of  the 
A frame  is 


RUs 

a 


on  that  loop 
transmission 


C (Info)  FCS 


Where : 


F is  a flag  octet  of  the  form  01111110 
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A is  an  octet  depicting  the  address  of  a secondary 
station. 

C is  a control  field  octet 

(Info)  is  an  optional  information  field  of  any  length 
FCS  is  a 16  bit  frame  check  sequence  providing  error  control 
F is  the  final  closing  flag  of  the  frame 


In  addition  to  their  use  as  bit  synchronizing  characters 
and  beginning  and  end  of  frame  delimiters,  the  flag  characters 
can  be  used  as  "idle-fill"  characters.  This  usage  is  not  contem- 
plated in  the  CSSMRS  network  since  continuous  polling  and  commun- 
ications sequences  will  be  maintained  between  the  CU  and  the  RUs 
in  order  to  insure  the  immediate  detection  of  any  interruption  or 
attempt  to  insert  spurious  data  in  the  network. 

Protection  against  the  unintended  interpretation  of  data 
as  a flag  character  in  a frame  is  provided  by  the  insertion  or 
"stuffing"  of  a zero  bit  immediately  following  any  five  contigu- 
ous ones  that  occur  anywhere  between  the  opening  flag  and  the 
closing  flag  of  a frame.  The  insertion  of  the  zero  bit  thus  ap- 
plies to  the  contents  of  the  Address,  Control,  Info  and  FCS 
fields  (including  the  last  five  bits  of  the  FCS).  The  receiver 
continuously  monitors  the  received  bit  stream;  upon  receiving  a 
zero  bit  followed  by  five  contiguous  one  bits,  the  receiver  in- 
spects the  following  bit:  If  a zero,  the  five  one  bits  are 

passed  as  data  and  the  zero  bit  is  deleted.  If  the  sixth  bit  is 
a one,  the  receiver  inspects  the  seventh  bit;  if  it  is  a zero,  a 
flag  sequence  has  been  received;  if  it  is  a one,  an  abort  has 
been  received.  Although  this  may  all  sound  complicated,  single- 
chip, large-scale  integrated  circuit  implementations  of  the 
necessary  logic  to  perform  this  and  other  ADCCP  functions  are  now 
readily  available. 

The  Address  field  is  one  eight-bit  byte  that  designates 
a secondary  station  address.  The  address  that  is  used  in  a com- 
mand frame  issued  by  the  primary  station  is  that  of  the  secondary 
station  to  which  the  frame  is  directed.  The  address  in  a 
response  is  the  address  of  the  responding  secondary. 

ADCCP  provides  an  extensive  repertory  of  commands  and 
responses  that  go  well  beyond  the  rather  modest  requirements  of 
the  CSSMRS  network.  These  can  be  satisfied  with  a subset  of  only 
four  unnumbered  commands  and  three  un-numbered  responses.  Their 
bit  patterns  and  the  mnemonics  by  which  they  are  referenced  are 
as  fol lows : 

Command  s : 
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Bit  Pattern 


Mnemon ic 


Function 


11001000 


11001100 


11011000 


11011001 


UI 


UP 


PN 


APN 


This  command  indicates  that  the  associated 
frame  has  an  information  field  containing 
instructions  that  must  be  executed  by  the 
remote  station  that  is  the  addressee.  This 
information  field  will  contain  either  one 
or  two  eight  bit  bytes  and  convey  the 
meanings  shown  in  Table  I.  The  immediate 
response  to  this  frame  will  be  a UA  frame 
followed  on  later  polling  sequences  by  UI 
frames  reporting  any  status  changes  that 
have  resulted  from  the  execution  of  the 
received  instructions. 
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This  is  one  of  the  non-reserved  command 
bit  patterns  that  is  permitted  by  X3.66 
for  use  in  unique,  application  dependent 
circumstances.  Here,  it  has  been  assigned 
the  meaning  of  a conditional  poll  command. 
The  addressed  secondary  is  to  respond  with 
a UI  frame  with  an  information  field 
reporting  any  change  of  status  since  the 
last  report  if  any  such  change  has  occurred. 
If  there  has  been  no  status  change,  the 
response  is  a UA  frame. 


This  is  also  a non-reserved  command  that 
may  be  assigned  an  application  dependent 
meaning.  It  is  used  to  acknowledge  the 
receipt  of  a UI  response  to  a PN  command 
occurring  on  the  preceding  poll  cycle 
and  it  conveys  the  additional  meaning  of 
a regular  PN  command. 


Responses : 

Bit 

Pattern 

Mnemon ic 

Func  t ion 

1100 

1110 

UA  This  is 

a 

response 

tha  t 

acknowledges  the 

correct 

receipt 

o f 

the 

immediately  preceding 

command 

f r ame . 

If 

that 

immed  ia tel y 

pr  eced  i 

ng 

command 

f r ame 

was  a PN  command , 
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11001000 


11101001 


UI 


FRMR 


The 

dancy  check 
nomial  X**16 
provides  a 


the 

UA  also  ind 

icates  that 

there 

ha 

s 

been 

no 

change  in  the  status  at 

the  st 

a t 

io 

n 

sue 

h as  intrusi 

on  or  tampe 

r a 

1 arm 

f 

al 

arm 

rec 

overy,  loss 

of  po we r , e 

tc  . 

Th 

er 

e 

i s 

no 

information 

field  in  a 

UA 

f r am 

e . 

The 

UI  response 

d esig  nates 

a 

f r am 

e 

CO 

nta  in 

ing 

an 

in  fo  rmat ion 

field.  The 

in 

fo  rm 

at 

io 

n fie 

Id 

wi  1 

1 have  the  format  shown 

in 

Tabl  e 

I 

I . 

Thi 

s is  a frame 

reject  res 

pon 

se  a 

nd 

i 

s i ss 

ued 

by 

the  addressed  secondary 

wh 

en  a 

n 

er 

ror 

is 

detected  in 

the  immedia 

tel 

y pr 

ec 

ed 

ing 

rec 

eived  frame. 

An  error 

i s 

ind  i 

c a 

ted  by 

the 

receipt  of 

a frame  tha 

t i 

s 1 e 

ss 

than 

48 

bits  long,  o 

r one  in  wh 

ic  h 

the 

FCS 

doe 

s not  com put 

e correctly 

• 

Sequence,  FCS, 

is  a 16  bit 

c ycl  ic 

red  un- 

Frame  Check 

sequence  that  is  developed  using  the  CCITT  V. 41  Poly- 
+ X ** 1 2 + X**5  + 1 as  specified  in  ANSI  X3.66.  This 
very  high  level  of  error  control;  in  frames  of  the 


size  that  will  be  employed  in  the  CSSMRS,  it  has  been  estimated 
that  only  about  15  to  20  frames  per  million  frames  having  errors 
will  be  accepted  as  correct  frames.  If  the  detected  frame  error 
rate  is  one  in  10**5,  then  an  undetected  frame  error  rate  of  less 
than  one  in  10**9  would  be  anticipated. 


In  all  cases,  responsibility  for  error  recovery  rests 


with  the  primary 
will  exercise  is 
ceived  a correct 
It  will  return 
operation  upon 
pr  imar  y . 


station.  The  only  initiative  that  the  secondary 
to  enter  the  autonomous  mode  if  it  has  not  re- 
frame of  any  type  within  0.3  seconds, 
from  the  autonomous  mode  to  the  normal  mode  of 
the  resumption  of  communications  with  the  CU,  or 
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TABLE  I 


INFORMATION  FIELD  FORMAT  FOR  COMMAND  FROM  CU  TO  RU 

The  information  field  is  of  variable  length  and  may  con- 
tain one  or  more  single  byte  or  two-byte  commands.  Single  byte 
commands  are  identified  by  a zero  in  bit  positions  one  and  two. 

FORMAT 

BITS  FUNCTION 


1 

2 

3 

4 

5 

6 

7 

8 

0 

0 

0 

0 

0 

0 

0 

1 

Pan  Camera  to  the  right 

0 

0 

0 

0 

0 

0 

1 

0 

Pan  Camera  to  the  left 

0 

0 

0 

0 

0 

0 

1 

1 

Tilt  Up 

0 

0 

0 

0 

0 

1 

0 

0 

Tilt  Do  wn 

0 

0 

0 

0 

0 

1 

0 

1 

Zoom  In 

0 

0 

0 

0 

0 

1 

1 

0 

Zoom  Out 

0 

0 

0 

0 

0 

1 

1 

1 

Iris  Open 

0 

0 

0 

0 

1 

0 

0 

0 

Iris  Closed 

0 

0 

0 

0 

1 

0 

0 

1 

Focus  In 

0 

0 

0 

0 

1 

0 

1 

0 

Focus  Out 

0 

0 

0 

0 

1 

0 

1 

1 

Lights  On 

0 

0 

0 

0 

1 

1 

0 

0 

Lights  Off 

0 

0 

0 

0 

1 

1 

0 

1 

Camera  On 

0 

0 

0 

0 

1 

1 

1 

0 

Camera  Off 

0 

0 

0 

0 

1 

1 

1 

1 

"SAFE"  (Disable)  FEDS 

0 

0 

0 

1 

0 

0 

0 

1 

through  00011110  Same  as  above  except  for  + 

location  (next  higher  perimeter  segment  number) . 

0 

0 

0 

1 

1 

1 

1 

1 

"ARM"  (Enable)  FEDS 

0 

0 

1 

0 

n 

n 

n 

n 

Test  FEDS  Identified  by  Binary  Value  of  n n n n 

0 

1 

0 

0 

n 

n 

n 

n 

Fire  FEDS  Identified  by  Binary  Value  of  n n n n 

provided  byte  two  is  identical  to  this  byte. 

1 

0 

X 

X 

0 

X 

X 

X 

Spare  Two  Byte  Commands 

1 

0 

0 

0 

1 

0 

0 

0 

Test  Sensor  Identified  by  Binary  Value  of  Byte  Two 

1 

1 

0 

0 

0 

0 

0 

0 

Load  Electronic  Lock  With  Random  Number  in  Byte  Two 

1 

1 

1 

X 

X 

X 

X 

X 

Spare  Two  Byte  Commands 

Note 

that  a second  byte  is  required  whenever  the  binary 

val  ue 

of  ] 

bits 

one  and  two  in  byte  one  exceeds  zero. 
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TABLE  II 


Format  for  the  information  field  of  frames  transferred 
from  the  RU  to  the  CU  reporting  full  status  or  change  of  status: 


Bi 

t State  Zero 

State  One 

1 

No  change  this  frame 

Flag  - Change  this  frame 

2 

FEDS  electrically  "SAFE" 

FEDS  electrically  "ARMED" 

3 

FEDS  manually  "ARMED" 

FEDS  manually  "SAFE" 

4 

Power  OK 

On  backup  batteries 

5 

Lights  off 

Lights  on 

6 

Lights  + off 

Lights  + on 

7 

CCTV  off 

CCTV  on 

8 

CCTV  + off 

CCTV  + on 

Then,  if  this  is  a response 

to 

a command  for  a full  status 

re 

port,  there  will  follow  one  byte 

fo  r 

each  connected  sensor  and  FEDS. 

Th 

is  byte  will  have  the  following  form 

at : 

Bi 

t 

Sta 

te  Zero 

Sta 

te 

One 

1 

Sec 

ur  e c 

ond 

i tion 

Al  arm 

cond  i 

t i 

on 

2 

No 

test 

in 

process 

Test 

in  pro 

ce 

ss 

3 

through  8 

repr 

ese 

nt  binar 

y id 

enl 

t i ty  of  the 

senso  r 

o 

r FEDS 

In 

the  c 

ase 

of  FEDS 

, th 

e 

alarm  cond 

it  ion 

( 

bit  one 

St 

a te 

one) 

cor  re 

s ponds  to  a 

fir 

ed 

or  missing 

squib . 

When  bit  one  of  byte  one  is  set  to  the  one  state  and  the 
frame  is  a response  to  a PN  command,  then  only  those  bytes  are 
transmitted  that  are  required  to  identify  the  change  in  status 
that  has  occurred.  For  example,  if  a single  sensor  alarmed,  the 
information  field  would  only  contain  two  bytes;  byte  one  from 
Table  II  above,  and  a second  byte  denoting  the  change  in  status 
and  identity  of  the  alarming  sensor. 
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The  following  are  to  be  used  as  Peripheral  Identification 
Numbers  (PIN)  for  the  various  types  of  sensors  and  FEDS  that  may 
be  associated  with  any  CSSMRS  RU.  Note  that  each  Perimeter  Sta- 
tion controls  two  fence  segments.  In  this  table,  those  perimeter 
sensors  that  are  not  followed  by  a "+"  symbol  are  for  the  segment 
that  has  the  same  address  as  the  Perimeter  Station;  those  fol- 
lowed by  a "+"  have  the  next  highest  segment  number. 


PIN 

Type 

1 

MAID/MILES 

2 

do  + 

3 

FDS  or  piezo  fence  sensor 

4 

do+ 

5 

Mic  rowave 

6 

do  + 

7 

E-Field 

8 

do  + 

9 

Laser  or  other  optic  fence 

10 

do  + 

11 

BLID  or  other  seismic 

12 

do  + 

13 

Radar  target  detection  unit 

14 

do  + 

15 

Sonar 

16 

do  + 

17 

Acoustic  interferometer 

18 

do  + 

19 

other  perimeter 

20 

do  + 

(water) 


Area  Sensors  of  the  following  types: 


21 

Microwave  doppler 

22 

Ultrasonic  doppler 

23 

Radio  Frequency  (SWR 

24 

Passive  ultrasonic 

25 

Acoustic 

26 

Infrared 

27 

Visible 

28 

Spare 

Point  Sensors  of  the 


following 


type  s : 


29 

Capac i tance 

30 

Mag  ne t ic 

31 

Se i sm  ic 

32 

Thermal 

33 

Vibration 

34 

Brea  kwi re 

35 

Foil  on  glass 
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36 

Magnetic  switch 

37 

do  . 

38 

do  . 

39 

Successful  openi 

ng  of  electronic 

lock 

40 

Tamper  alarm 

on 

electronic  lock 

41 

Tamper  alarm 

on 

any  installed  se 

nso  r 

42 

Tamper  alarm 

on 

Remote  Computer 

Cabinet 

43 

Tamper  alarm 

on 

CCTV 

44 

do  . + 

45 

Poll  received 

on 

clockwise  loop 

only 

46 

Poll  received 

on 

counterclockwise  loop  < 

47  - 

56  Spares 

Forced  Entry  Deterrent  System 

s o 

f the  following 

types : 

57 

Relocker  on  m 

ag  a 

zine  door 

58 

Relocker  on  m 

ag  a 

zine  door 

59 

Vapor  type  FEDS 

in  magazine 

60 

Liquid  type  FEDS 

in  magazine 

61 

do  . + 

62 

spare 

63 

spare 

64 

spare 

y 


By  providing  this  list  of  identification  numbers  that  can 
be  used  for  any  member  of  a generic  class  of  sensors,  it  should  be 
possible  for  a given  site  to  employ  whatever  type(s)  of  sensors 
are  most  appropriate  to  it's  environment  and  circumstances  without 
having  to  r 
the  CSSMRS . 
sensor  and 
any  site, 
new  sensor 


eso  r t 

to  the  pre 

pa  ration  of  s 

ite  specific  software 

That 

: is. 

a PIN 

9 is  a 1 wa ys 

an  optical  perimeter 

a PIN 

33  is 

; al  wa 

ys  a vibratio 

n sensor  at  any 

RU 

o f 

Spare 

PINs 

hav  e 

been  provided 

for  allocation 

to 

po 

type  s 

that 

may  b 

e developed  i 

n the  future. 
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With  the  m 

essage  formats 

shown 

in 

Tables  I and 

II,  the  RU 

is 

required  to 

prov 

ide  buffer 

space 

fo 

r six  bytes  each  for  the 

cl  oc 

kwise  and  coun 

ter  c 

lockwise  m 

essag  e 

1 

oops  at  the 

CROSSFIRE 

controller,  however,  o 

nly  a maximum  of 

fo 

ur  bytes  of  ac 

cepted  in- 

coming  messages  wo 

uld 

be  passed 

to  the 

m 

ic  roprocesso  r : 

the  ad- 

dress  and  control 

byte 

s,  and  whe 

re  pr e 

sen 

t,  the  informa 

tion  field 

of  i 

ncoming  messag 

es . 

On  the 

o ther 

hand , the  comm 

unications 

proc 

essor(s)  and 

the 

CU  at  the 

pr  imar  y 

station  must  b 

e prepared 

to  accept  informat 

ion 

fields  o f 

variable 

length  in  the 

messag  es 

that 

they  receive 

in 

responses 

from  the 

RUs  . In  the  m 

ajority  of 

inst 

ances,  however 

, fr 

ames  exchanged  b 

etween  the  CU  and 

the  RUs 

are 

not  expected 

to 

contain  in 

fo  rmat 

ion 

fields  since 

under  nor- 

mal  , 

secure  condit 

ions 

there  wil 

1 be  a 

PN 

command  frame 

going  out 

from 

the  CU  and  a 

UA 

response  r 

eturni 

ng 

from  the  addre 

ssed  RU  as 

each 

RU  on  the  loo 

pis 

polled  in 

a co 

nti 

nuing  sequenc 

e without 

pa  us 

e or  interrupt 

ion . 

A nominal 

response  time 

target 

fo 

r the  CSSMRS 

has  been 

arb  i 

trarily  established  as  0. 

1 seco 

nd  . 

The  only  jus 

t i f icat ion 

for 

this  arbitrary 

sel 

ection  is 

that  0 

. 1 

second  is  comparable  to 

typical  minimum  human  reaction  times 


With  an  operating  bit  rate  of  56,000  bits  per  second,  a 
primary  station  can  transmit  a PN  frame  and  a secondary  can 
transmit  a UA  frame,  each  48  bits  long,  in  1.72  ms.  Allowing  80 
microseconds  for  propagation  delay  and  microprocessor  response 
times,  these  types  of  frames  could  be  exchanged  with  a different 
RU  each  1.8  ms.  and  a loop  of  24  RUs  could  be  polled  every  43.2 
ms.  Looking  at  it  from  a different  viewpoint,  in  0.1  second, 
with  the  same  operating  bit  rate,  propagation  delay  and  micropro- 
cessor response  times,  there  would  be  time  enough  for  the  CU  to 
send  a command  with  a one  byte  information  field  and  receive  a 
response  with  a 15  byte  information  field  from  each  of  24  RUs  on 
a loop.  From  these  calculations  we  conclude  that  the  56,000  bit 
per  second  signalling  rate  is  adequate  to  support  the  target 
response  time  in  all  but  the  most  unusual  circumstances.  In  fact 
it  is  difficult  to  imagine  a set  of  circumstances  that  would  gen- 
erate data  at  even  this  rate.  These  calculations  also  justify 
the  position  that  the  RU  should  expect  to  receive  polling  frames 
at  intervals  of  about  0.1  second,  and  that  if  a frame  has  not 

3 second  it  should  assume  that  it  has  become 
enter  the  autonomous  mode. 


been  received  for  0 
isolated  and  should 
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CROSSFIRE  Operations 


Under  normal  circumstances  the  communications  micropro- 
cessor assigned  to  each  loop  is  continuously  polling  each  Remote 
Unit  in  its  loop,  (see  Fig.  3).  These  polling  messages  are  sent 
on  both  the  clockwise  and  the  counter-clockwise  channel. 
These  messages  are  repeated,  bit  by  bit  with  less  than  a mi- 
crosecond delay,  at  each  Remote  Unit,  and  they  should  arrive 
back  at  the  transmitting  CU  microprocessor  with  very  little  dif- 
ferential delay. 


REMOTE 

UNITS 


Figure  3 Digital  Data  Network 
Figure  4,  "Digital  Communications  Controller"  shows 
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the  Remote  Unit  controls  for  a CROSSFIRE  loop.  Note  that  each 
loop  has  an  optical  receiver,  an  electronic  amplifier  and  an  opt- 
ical transmitter.  Each  incoming  pulse  of  light  is  detected,  am- 
plified and  retransmitted  without  delay  as  a reconstituted  bit. 
Each  loop  also  has  a circuit  to  calculate  and  confirm  the  validi- 
ty of  the  Frame  Check  Sequence  (FCS),  and  a buffer  register. 
There  is  a common  comparator  to  establish  whether  message  con- 
tents are  identical  for  each  channel.  The  switches  are  in  the 
"Receive"  position  as  shown  except  when  the  RU  is  transmitting  in 
response  to  a poll. 


Figure  4 


Digital  Communications  Controller 


Assume  that  each  RU  is  within  one  microsecond  of  the 
adjacent  RU's,  on  the  average,  including  propagation*  and 
transmission  delays.  For  the  maximum  population  of  24  RUs 
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two 
r e- 
pe  r 


loop,  a frame  received  on  the  CW  and  on  the  CCW  loop  will  arrive 
at  any  RU  within  24  microsecond  of  each  other.  This  delay  is 
caused  by  the  differing  distances  from  the  CU  to  the  RU  on  the 
CW  and  CCW  loops.  Both  the  CW  and  the  CCW  messages  are  stored 
and  the  FCSs  are  checked.  If  the  messages  are  identical  and 
the  FCSs  correct,  the  addressed  Remote  Unit  transmits  its 
answer  to  the  polling  message.  The  delay  between  the  poll  and  the 
answer  must  be  less  than  the  period  required  to  transmit  a 
minimum  length  frame;  this  requirement  makes  it  impossible  to 
spoof  the  network,  as  will  be  discussed  in  a later  paragraph.  The 
answer  from  the  RU  to  the  CU  is  transmitted  simultaneously  over 
both  the  CW  and  the  CCW  channels. 

In  the  event  of  a cable  cutting  attack  between  the  CU  and 
RU-A,  see  Fig.  5,  all  RUs  will  receive  their  polling  messages 
via  the  CCW  channel  only.  Each  RU  reports  this  fact  in  turn  to 
the  CU,  which  already  knows  that  it  is  not  receiving  its  own 
"echo"  on  the  CCW  channel.  Transmission  is  initiated  by  each  RU 
on  both  channels,  but  only  the  CW  channel  arrives  at  the  CU. 
The  CU,  knowing  that  all  of  the  RUs  are  replying,  but  only  by  way 
of  the  CW  channel,  correctly  decides  that  the  cutting  attack 
is  between  the  CU  and  RU-A.  The  CU  then  issues  an  order  to  a 
guard  patrol  to  investigate  the  path  in  question,  while,  at  the 
same  time,  patching  in  the  closest  assessment  television  camera. 
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Figure  5 Crossfire  Loop 


If  the  fiber  optics  cable  is  cut  between  two  RUs , for  ex- 
ample between  RU-D  and  RU-E,  the  location  of  the  attack  point  is 
equally  straightforward  . The  CU  observes  the  fact  that  RU-A,B,C, 
and  D replied  to  their  polls  only  on  the  CCW  channel  , while  RU-E 
and  F replied  only  on  the  CW  channel.  The  break  is  therefore  in 
the  trench  between  RU-D  and  RU-E.  Establishing  this  fact  takes 
only  one  polling  cycle,  which  is  0.1  seconds  or  less.  Note  that 
this  method  isolates  malfunctioning  components  as  well  as  adver- 
sary a ttac  ks  . 

In  the  event  that  a trench  is  dug  up  by  an  adversary  and 
a jamming  attack  is  made,  with  the  jam  applied  in  both  directions 
on  both  channels,  communications  is  still  maintained  between  all 
units,  and  the  location  of  the  attack  is  determined  within  one 
polling  cycle.  Assume  the  attack  was  made  between  RU-D  and  RU-E. 
The  jamming  signal  on  the  CW  channel  propagates  through  RU-E  and 
RU-F,  but  does  not  affect  units  D,C,B,or  A.  The  jamming  signal  on 
the  CCW  channel  propagates  through  units  D,C,B,  and  A,  but  does 
not  affect  units  E and  F.  Thus,  all  messages  to  units  E and  F on 
the  CW  channel  are  destroyed,  but  messages  to  E and  F are 
correctly  received  via  the  CCW  channel.  Similarly,  messages  to 
units  A, B , C,  and  D are  destroyed  on  the  CCW  channel,  but  are 
correctly  received  on  the  CW  Channel.  In  order  to  locate  the  po- 
sition of  the  attack,  the  Central  Unit  needs  only  to  recognize 
that  polls  from  units  A,B,C,and  D were  answered  on  only  the  CCW 
channel,  while  units  E and  F answered  on  the  CW  channel  only. 
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Note  that  only  messages  with  a valid  FCS  are  acted  upon. 

Although  cutting  of  a fiber  optics  cable  is  relatively 
simple  (once  the  trench  has  been  dug  up  undetected)  , the  inser- 
tion of  an  efficient  jamming  signal  requires  more  elaborate 
equipment.  The  most  sophisticated  attack  is  an  attempt  to  insert 
a false  message  into  the  system  which  is  interpreted  as  originat- 
ing with  a friendly  source  ("spoofing") . The  CROSSFIRE  net  pro- 
tects against  this  by  a traffic  protocol  (previously  mentioned) 
which  requires  that  at  no  time  is  there  a silent  period  in  the 
loop  which  is  long  enough  for  an  adversary  to  insert  a legal  mes- 
sage with  a correct  CRC.  Thus,  all  spoofs  inserted  into  a fiber 

without  cutting  will  collide  with  legitimate  messages  and  cause 
CRC  errors.  If  a channel  is  first  cut,  a very  sophisticated  spoof 
may  arrive  at  a down-channel  RU  successfully,  with  a correct  CRC. 

If  the  message  did  not  contain  exactly  the  same  message  as  the 

one  received  by  the  same  RU  on  the  other  channel,  the  RU  is  per- 
mitted only  to  report  this  occurrence,  but  is  not  permitted 

to  follow  any  commands  contained  in  either  message.  This  results 
in  the  addressed  station  going  into  one  of  the  autonomous 

states.  The  location  of  such  a spoofing  attack  is  determined  by 

the  Central.  Unit  in  a fashion  similar  to  that  used  for  lo- 

cating the  source  of  a jam;  this  is  accomplished  in  one  loop  pol- 
ling period.  Guards  are  automatically  dispatched  to  the  loca- 
tion. 

In  the  prototype  CSSMRS  system  the  defense  against  bug- 
ging relies  on  the  difficulty  of  conducting  surreptitious  reading 
of  the  fiber  optics  channels  without  alerting  guard  forces.  Since 
the  fiber  signals  cannot  be  detected  remotely,  the  channel  can 
only  be  read  by  excavating  a portion  of  the  trench,  removing 
several  protective  coatings  from  the  f iber  , in  trod uc ing  a method 
of  removing  a portion  of  the  light  energy  without  interrupting 
the  normal  flow  of  traffic,  recording  the  light  pulses,  and 
decoding  the  complex  format. 

CSSMRS  is  also  designed  so  that  information  obtained  by 
bugging  a fiber  optics  loop  is  not  particularly  valuable  to  an 
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the  transmission  capabilities  of  leased  telecommunications  cir- 
cuits that  are  readily  and  economically  available. 

Radio  surface  or  satellite  links  are  not  recommended  for 
either  of  the  alternative  paths  for  this  secure  data  link  if  a 
landline  facility  can  possibly  be  employed. 

The  secure  data  link  is  used  to  keep  higher  headquarters 
advised  as  to  the  security  status  of  the  site,  and  in  certain  em- 
ergency conditions,  to  automatically  summon  Augmentation  Forces. 
It  is  thus  quite  important  that  the  operational  status  of  this 
link  be  continuously  monitored.  This  can  be  accomplished  by  the 
regular  exchange  of  messages  between  the  CU  and  the  higher  head- 
quarters station  using  both  manual  and  automatic  exchange 
routines  that  are  independent  of  messages  that  report  site 
status.  The  automatic  routine  begins  when  the  CU  selects  one  of 
the  two  redundant  paths  and  sends  a test  frame  to  the  higher 
headquarters  station.  This  frame  has  an  information  field  con- 
taining four  eight  bit  bytes.  The  first  byte  contains  any  ran- 
domly selected  bit  pattern  except  eight  zeros  and  the  next  three 
bytes  are  a three  digit  ASCII  sequence  number.  Upon  receipt  at 
the  higher  headquarters  station,  the  first  byte  of  the  informa- 
tion field  is  tested  for  "ones".  If  all  bits  are  zero,  it  is  not 

a circuit  test  frame  and  the  rest  of  the  bytes  represent  a mes- 

sage conveying  information;  if  one  or  more  bits  in  the  first 
byte  are  "ones"  the  remaining  bytes  are  a sequence  number  to  be 
used  to  confirm  operational  status  of  the  link.  This  sequence 
number  is  accepted,  incremented  by  one,  modulo-999,  and  placed  in 
the  information  field  of  a four  byte  return  frame  whose  first 
byte  also  contains  a random,  non-zero,  binary  value.  This  frame 
is  returned  via  the  same  communications  path  on  which  it  was  re- 
ceived. On  the  next  exchange,  the  other  path  is  employed  and  the 

process  is  repeated.  These  exchanges  can  be  accomplished  in 
about  75  ms.,  so  they  should  be  automatically  initiated  at  the 
same  time  as  the  RU  polling  cycle  (every  100  ms.)  and  three  un- 
successful attempts  to  exchange  frames  on  either  path  is  con- 
sidered as  an  adequate  basis  for  declaring  an  outage  on  that 
pa  th . 


The  use  of  the  random  field  in  byte  one  of  the  messages 
that  are  exchanged  to  monitor  the  integrity  of  the  redundant  path 
secure  data  link  is  to  make  it  more  difficult  to  attack  the  cryp- 
tographic system.  This  variable  together  with  the  changing  se- 
quence number  in  the  other  three  bytes  of  the  information  field 
permits  an  average  of  128,000  different  messages  to  be 

transferred  before  one  is  repeated.  It  should  be  noted,  however, 
that  an  adversary  could  record  one  of  the  monitoring  messages  and 
then  attempt  to  substitute  this  recording  for  an  information 
bearing  message  from  the  site  to  higher  headquarters.  There 
would  be  one  chance  in  a thousand  that  the  recording  would  have 
the  expected  sequence  number.  The  random  field  in  byte  one  helps 
protect  the  crypo tg raphic  system  but  does  not  influence  the  con- 
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tinuity  of  sequence  numbers. 
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and  which  would  be  capable  of  alerting  the  Response  Forces  even 
if  their  normal  call-up  link  had  been  cut. 

Video  Data  Transmission  System 

Closed  Circuit  Television  (CCTV)  will  be  employed  in  the 
CSSMRS  to  the  maximum  extent  practical  for  the  assessment  of 
alarms.  Standard  525  line  video  equipment  is  selected  on  the 
basis  of  cost,  availability  and  maintainability.  Cameras  will 
normally  be  operated  with  the  vidicon  heaters  continuously 
powered  so  that  video  output  is  immediately  available  without  a 
warm  up  delay.  This  is  controlled  using  command  frames  over  the 
digital  data  network  as  described  in  the  preceding  sections. 
Where  remote  control  of  other  camera  features  such  as  pan,  tilt, 
zoom,  etc.,  are  required  the  appropriate  drive  motors  will  be  en- 
ergized by  the  RU  microprocessor  through  the  interpretation  of 
the  applicable  digital  commands.  Each  of  the  motor  drive  com- 
mands will  cause  application  of  power  pulses  to  the  selected 
stepping  motor  to  continue  for  0.1  second,  thus  a series  of 
identical  drive  commands  on  successive  poll  cycles  will  result  in 
essentially  continuous  drive  motion.  The  displacement  from  "home 
position"  caused  by  any  drive  command  is  remembered  by  the  RU  and 
when  the  camera  is  turned  off  and  released  from  assessment  the 
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command  sequences  are  recalled  and  are  reversed  so  as  to  return 
the  camera  to  a preset,  optimized  initial  condition.  It  is  anti- 
cipated that  not  all  cameras  may  require  such  adjustment  features 
and  when  they  are  not  so  equipped,  that  fact  will  be  annunciated 
at  the  viewing  monitor  in  the  guard  control  stations. 

For  transmission  of  the  video  from  the  CCTV  cameras  back 
to  the  CU  and  the  guard  control  stations,  consideration  was  given 
to  three  alternatives:  individual  optical  fibers,  individual 

coaxial  cables  and  frequency  division  multiplexing  a limited 
number  of  camera  output  signals  on  a single  coaxial  cable. 

Optical  fibers  are  available  with  adequate  bandwidth  for 
video  use,  but  the  el ec troopt ical  transducers  (lasers  and  photo- 
detectors) with  the  required  response  times  are  very  expensive; 
typically  hundreds  of  dollars  each  as  contrasted  to  the  few  dol- 
lars each  for  transducers  capable  of  supporting  the  56,000  bit 
per  second  digital  data  network.  While  these  costs  will  probably 
decline  with  future  use  of  fiber  optic  components  in  telephone 
trunking  applications,  it  was  not  believed  that  they  could  be 
currently  justified  for  alarm  assessment  applications. 

Individual  video  coaxial  cable  per  camera  circuits  have 
been  used  in  many  alarm  assessment  installations.  Their  advan- 
tage is  that  the  failure  of  a single  cable  disables  only  a single 
camera;  their  disadvantages  include  the  large  amounts  of  cable 
required,  the  likelihood  that  many  equalizing  amplifiers  may  be 
required  and  the  lack  of  routing  redundancy.  The  construction 
work  that  accidentally  cuts  through  a cable  trench  will  probably 
disable  many  cameras  rather  than  a single  camera. 


The  third  alternative,  frequency  multiplexing  a limited 
number  of  cameras  on  a single  coaxial  cable,  capitalizes  on  the 
techniques  and  hardware  that  have  been  developed  for  the  cable 
television  industry.  Commercial  hardware  is  readily  available  to 
accept  video  from  a camera  and  modulate  one  of  up  to  24  of  the 
standard  television  carrier  frequencies.  Twenty  four  cameras  can 
then  be  bridged  on  a single  cable  that  covers  one  loop  segment  of 
the  digital  data  network  and  shares  the  same  cable  trenches. 
Broad  band  repeater  amplifiers  are  installed  as  required  along 
the  length  of  the  cable  at  appropriate  RUs . Each  camera  has  a 

and  the  common  repeaters  amplify  all  channels, 
second  cable  running  in  the  reverse  direction  as 
a loop  arrangement  is  formed  so  that  there  are 
paths  from  each  camera  location  to  the  CU.  This 
provides  a desirable  degree  of  redundancy  and  resistance  to  at- 
tack. At  perimeter  locations,  where  two  fixed  cameras  are  mount- 
ed on  each  tower  and  aligned  to  cover  one  perimeter  segment,  one 
camera  will  be  connected  to  one  cable  and  the  other  camera  will 
be  connected  to  the  other  cable.  At  magazine  locations,  where 
only  a single,  possibly  controllable,  camera  is  installed,  it 
will  be  connected  to  both  cables.  All  cameras  are  synchronized 


separate  channel 
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shown  in  Fig . 6 , 
two  alternative 
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to  prevent  picture  roll-over  when  switching  monitors  from  one 
camera  to  another  or  when  switching  a camera  to  automatic  record- 
ing devices.  Sync  pulses  are  sent  out  over  the  cables  used  for 
incoming  signals  using  base  band  signalling  and  appropriate  low 
pass  filters.  Monitors  are  high  resolution  television  receivers 
and  any  monitor  can  be  connected  to  any  camera  by  simply  switch- 
ing in  the  proper  cable  and  proper  frequency  on  that  cable. 


The  exact  positioning  of  perimeter  assessment  CCTV  cam- 
eras is,  of  necessity,  site  specific,  but  some  general  guidelines 
are  suggested  in  Figure  7.  Here,  two  cameras  are  mounted  on  a 
common  pole  and  trained  on  the  same  100  meter  perimeter  segment. 
One  of  the  cameras  is  equipped  with  a 75  mm  lens  that  will  pro- 
vide 0.75%  horizontal  field  of  view  resolution  over  a 25  meter 
wide  region  at  the  remote  end  of  the  100  meter  perimeter  segment, 
and  coverage  over  an  increasingly  narrow  region  back  to  the  near 
end  of  the  segment.  The  second  camera  is  equipped  with  a 50  mm 
lens  and  provides  an  enlarged  wedge  of  coverage  over  the  near  50 
meter  portion  of  the  segment.  The  cameras  are  mounted  in  a hous- 
ing that  is  resistant  to  fire  from  small  arms  and  that  is  shaped 
so  that  ropes  cannot  be  readily  suspended  from  it  but  will  slide 
off.  The  housing  is  elevated  about  5 meters  and  is  swung  outside 
of  the  inner  fence  so  that  the  outside  of  the  inner  fence  is 
within  the  field  of  view  of  both  cameras.  The  pole  or  tower  sup- 
porting the  cameras  is  located  about  50  meters  away  from  the  seg- 
ment that  they  will  assess. 
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MAGAZINE 


PERIMETER 


Figure  6 Proposed  Video  Network 


This  CATV  approach  is  advocated  for  any  CSSMRS  installa- 
tion where  more  than  four  CCTV  assessment  cameras  are  employed 
because  of  its  flexibility,  economy  and  redundancy.  Where  four 
or  fewer  CCTV  cameras  are  used  for  assessment,  individual  cables 
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interconnecting  the  video  signals  from  each  camera  to  its 
monitor  are  the  preferred  arrangement. 


own 


Voice  Communications  Facilities 

Telephone  communications  will  be  required  between  the 
Guard  Control  Stations  and  each  guard  patrol  station,  magazine 
entrance  and  RU.  In  addition,  radio  communications  will  be  re- 
quired between  the  Guard  Control  Stations  and  each  mobile  and  am- 
bulatory patrol,  and  a public  address  system  is  required  to  warn 
would-be  intruders.  It  is  assumed  that  these  facilities  will  al- 
ready be  on-site  and  that  their  adaptation  to  the  CSSMRS  will  in- 
volve only  minor  extensions  to  the  existing  network  and  the  addi- 
tion of  voice  activated  recording  facilities. 

Remote  Unit 


A Remote  Unit,  RU  is  a generic  term  that  has  been  coined 
to  describe  that  assemblage  of  CSSMRS  components  that  are  collo- 
cated at  either  a single  magazine  or  a single  perimeter  station. 
In  the  case  of  a magazine,  it  includes  a microprocessor,  FEDS, 
Safe/Arm  switches  (electronic  and  manual) , an  electronic  lock 
with  its  manual  emergency  override  mechanism,  digital  communica- 
tions components,  an  appropriate  selection  of  sensors  and  testing 
components,  CCTV  (with  camera  controls  if  required)  , video  com- 
munications components,  lighting  and  controls,  all  of  the  inter- 
face components  necessary  to  integrate  these  elements  and,  final- 
ly, main  and  backup  power  supplies  for  their  operation.  These 
will  all  be  installed  within  the  magazine.  In  the  case  of  a per- 
imeter station,  similar  components  are  involved;  however,  a sin- 
gle microprocessor  will  be  associated  with  the  sensors,  FEDS, 
CCTV,  etc.,  required  for  two  perimeter  segments  (zones)  each  hav- 
ing a nominal  length  of  100  meters.  For  a perimeter  RU,  the  mi- 
croprocessor, Safe/Arm  switches,  power  supplies,  commun ications 
and  interface  components  are  installed  in  a small,  walk-in,  rein- 
forced concrete  shelter  with  a steel  door  that  is  secured  with  an 
electronic  lock  and  security  padlock  and  having  a manual  elec- 
tronic lock  override  mechanism.  The  shelter  should  be  equipped 
with  intrusion  alarms  and  FEDS  and  should  be  generally  similar  to 
a squared  off  and  greatly  miniaturized  magazine  without  earth 
cover.  It  should  generally  be  located  about  25  meters  inside  the 
inner  perimeter  fence  of  the  exclusion  area  at  the  junction  of 
the  two  perimeter  segments  under  its  control  and  in  a position  to 
minimize  the  lengths  of  the  trenches  containing  the  interconnect- 
ing cables  for  sensors,  FEDS,  CCTV,  etc.,  and  to  minimize  the 
cover  that  might  be  afforded  an  adversary  attempting  to  penetrate 
the  perimeter.  Fig.  7 illustrates  the  general  arrangement.  This 
arrangement  is  meant  to  be  suggestive  rather  than  exact,  and  CCTV 
camera  locations,  in  particular,  will  have  to  be  carefully  ar- 
ranged to  suit  the  requirements  of  any  particular  site. 


Alternative  arrangements,  including  semi-buried  caskets. 
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were  considered  for  housing  the  components  of  the  per 
tions.  These  appeared  to  have  potential  problems  s 
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NOTE: 

* CAMERA  A = 75  MILLIMETER  LENS 

• CAMERA  B=  50  MILLIMETER  LENS 


Figure  7 Relative  Location  of  Perimeter  Stations  and  CCTV  Cameras 


It  is  vital  that  the  microprocessor  and  its  associated 
components  be  provided  with  a very  high  degree  of  physical  secu- 
rity. Compromise  of  the  microprocessor  could  adversely  impact 
the  security  of  the  perimeter  segments  or  magazine  with  which  it 
is  associated.  It  is  for  this  reason  that  it  must  be  installed 
within  the  magazine  or  within  a similarly  protected  shelter 
structure.  There  they  can  contribute  to  the  maintenance  of  their 
own  security  in  two  ways.  The  first  is  in  connection  with  the 
handling  of  the  random  number  that  is  used  to  open  the  electronic 
lock  on  the  door  of  the  magazine  or  shelter  structure.  The 
second  contribution  to  the  maintenance  of  self  security  comes 
about  from  the  entry  of  the  microprocessor  into  an  autonomous 
mode  of  operation  when  communications  with  the  CU  is  lost.  In 
this  mode,  the  alarming  of  a prescribed  group  of  sensors  is  as- 
sumed to  represent  positive  evidence  of  an  unauthorized  access 
attempt,  and  the  automatic  response  is  activation  of  appropriate 
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FEDS.  This  response  must  be  inhibited  when  loss  of  communica- 
tions with  the  CU  is  a result  of  system  malfunction  and  access 
must  be  made  to  perform  maintenance  actions,  and  the  implementa- 
tion of  this  inhibiting  function  must  occur  in  a way  that  does 
not  provide  an  inviting  avenue  of  attack  by  an  adversary.  It  is 
accomplished  using  a manually  operated,  mechanical  override  to 
the  electronic  lock  that  automatically  generates  an  audible  alarm 
and  that  permits  access  only  after  the  expiration  of  a preset 
minimum  period  of  time. 


Electronic  Lock 


At  least  one  of  the  currently  operati 
for  accessing  a special  weapons  storage  magazin 
operations  personnel  and  security  personnel,  in 
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This  procedure  provides  a very  high  degree  of  protection 
but  it  is  conceivable  that  it  might  be  subverted  by  some  combi- 
nation of  defection,  deceit  and  collusion.  With  the 

CSSMRS,  additional  protection  is  provided  through  the  use  of  an 
electronic  lock  that  could  either  be  added  to  the  present  ar- 
rangement, or  could  possibly  replace  one  of  the  presently  em- 
ployed security  padlocks. 


The  electronic  lock  would  be  released  by  the  matching  of 

two  numbers.  The  matching  must  occur  within  a limited  time  of 

the  access  authorization,  and  only  a single  trial  match  would  be 


permitted.  When  access  to  a 
central  processor  generates 
CU  memory  and  stored  for 
croprocessor  associated  with 
housing.  When  authorized 


magazine  is  authorized,  the  CSSMRS 

a random  number  that  is  loaded  into 
later  transmission  to  the  remote  mi- 
the  designated  magazine  or  shelter 

personnel  arrive  at  the  RU  and  tele- 
phone the  Guard  Control  Center  and  advise  that  they  are  ready  to 
access  the  protected  area,  then  the  stored  number  is  transmitted 
to  the  RU.  Upon  receipt,  this  number  is  transferred  to  the 
buffers  of  the  electronic  lock  which  is  located  inside  the 
structure  and  the  lock  is  enabled  for  a one  minute  period  of 
time.  Only  a single  comparison  may  be  made  within  the  time  in- 
terval, and  if  a match  with  the  random  number  occurs,  an 

electrical  latch  on  the  magazine  door  is  released  and  its  release 

reported.  If  a trial  is  made  and  the  match  does  not  occur  the 
enable  period  is  terminated  and  an  alarm  condition  is  reported  to 
the  CSSMRS  central  processor.  An  alarm  condition  is  also  re- 
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ported  if  a match  is  attempted  when  the  acceptance  time  is  not 
enabl ed . 


The  sam 

e random  number 

th 

at  i 

s stored  fo 

r transmissi 

on  to 

the 

el ec  tron ic 

lock 

i s 

al  so 

1 

oaded  into  a 

portable,  ba 

tter  y 

oper 

ated  key  at 

the 

alarm 

central 

sta 

t i o n . An  i 

nterval  timer  in 

the 

key  is  also  sta 

r ted  , 

and 

at 

the 

expi ration 

of  this  interval 

the 

number  is  e 

rased 

from 

the 

key 

mem 

o r y . This 

el ec  tron ic 

key, 

tog  e 

ther  with 

the 

appro 

pr  ia 

te 

pad  1 

ock  key(s) 

are  then 

ta  k- 

en 

by  the  authorized  per 

sonnel 

to 

the  desig 

nated  maga 

zine  . 

Af  t e 

r telephon 

ing 

the  Guard 

Con 

tr  ol 

Center  , the 

el ec  tron ic 

ke  y 

i s 

plugged  i 

n to 

an  appropria 

te 

receptacle 

on  the  ex 

ter  i- 

or 

o f the 

mag  a 

zine 

and 

th 

e r 

esulting  ma 

tch  of  the  r 

andom 

numb 

ers  in  the 

ke  y a 

nd  the 

1 oc 

k 

wi  th 

in  the  acce 

ptance  time 

in- 

terv 

al  releases 

the 

1 atch . 

Th  e r e are 

two  types  of 

keys 

; si 

ngle  us 

e 

keys  and  m 

aster 

ke  ys  . 

When  a single  use  key 

is  used  to  open 

an 

el ec  tron ic 

lock. 

the  r a 

ndom  number 

which  it  con 

tained  is 

erased 

• 

Master  keys 

r e- 

tain 

the  random 

number  with 

which 

the 

y hav e 

be 

en  loaded  and  can 

be  used  to  open  an 

y number  of 

1 oc  ks 

tha 

t hav  e 

b 

een  loaded 

with 

the  c 

or respo nd ing 

number;  the 

y are 

era 

sed  onl 

y 

at  the  expir 

at  ion 

o f the 

time  period 

with  which 

they 

were 

load  ed 

• 

Successful 

matching  of 

the 

rand 

om  num 

be 

rs  in  the 

lock 

wi  th 

those  carri 

ed  in  the 

key 

ca  us 

es  an  e 

lectrically  po 

wer  ed 

sol eno 

id  to  withdr 

aw  a bolt  fr 

om  it 

s St 

r i ke  i 

n 

the  door 

sill, 

r el eas 

ing  the  door 

. This  solenoid 

is  i 

n ter 1 oc 

ked  with  the  m 

an  ual 

Safe/Arm  switch  located  insid 

e th 

e s 

t r uc  tur 

e . 

Po  we  r to 

the 

sol eno 

id  is  interr 

upted  when  the  Sa 

fe/Arm  switch 

is  placed  i 

n the 

"Safe" 

position  by 

a utho  r i zed 

pe  r so 

nnel 

immed 

ia 

tely  upon 

the  i r 

entry. 

This  interruption  of 

po  we 

r wi 

11  perm 

it 

the  bolt  to 

drop 

into  a 

position  that  will  prev 

ent  the  d 

oor  f r 

om 

being  rec 

1 osed 

until 

the  manual 

Safe/Arm  switch 

has 

been  pi 

ac 

ed  in  the  "Armed" 

position.  (A  three  minute  timer  is  also  started  when  the  lock  is 
opened,  and  its  rundown  will  also  release  the  bolt  even  if  the 
Safe/Arm  switch  is  not  actuated.) . This  should  be  the  last  ac- 
tion of  authorized  personnel  prior  to  their  exit  of  the  area,  and 
it  shall  cause  the  solenoid  to  again  be  powered  for  30  seconds, 
lifting  the  bolt  and  permitting  the  door  to  be  closed.  At  the 
expiration  of  the  30  second  delay  period  power  is  removed  from 
the  solenoid,  dropping  the  bolt  into  its  strike  and  locking  the 
now  closed  door . 


The  random  number  that  is  gener 
cpen  the  electronic  lock  is  an  eight 
venient  size  to  handle  with  a microproc 
electronics.  Larger  sizes  of  random 
use  of  more  electronics  components  for 
comparing  it  with  the  number  conta 
larger  component  count  would  result  in 


ated 

by  the  CU 

and  used  to 

bit 

byte 

Th 

is  i s a 

con- 

esso 

r and 

lock 

com pa  r 

a to  r 

num 

ber  s 

wo  uld 

requi re 

the 

sto 

r ing 

the 

number 

and 

ined 

in 

the  key,  and 

this 

r ed 

uced 

r el  i 

a b i 1 i t y 

and 
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shorter  MTBF.  Eight  bits  is  considered  adequate  from  the  securi- 
ty standpoint  since  any  attempt  to  use  a key  outside  the  accep- 
tance time  window  will  cause  an  immediate  tamper  alarm  (Table  II, 
PIN  No.  40).  An  adversary  is  given  no  opportunity  to  try  to  pick 
the  lock  by  trying  all  bit  combinations  , and  any  wrong  bit  pat- 
tern that  is  applied  within  the  acceptance  time  gate  will  give  an 
alarm.  In  addition,  such  a bogus  attempt  will  cause  the  contents 
of  the  lock  storage  register  to  be  cleared  and  the  acceptance 
time  interval  to  be  terminated.  Also,  correct  matching  of  the 
key  and  lock  numbers  in  connection  with  an  authorized  access  will 
also  clear  the  registers  in  the  lock  and  in  a single  use  (as  con- 
trasted to  master)  key  and  terminate  the  key  acceptance  gate 
periods  of  both. 


The  foregoing  descri 
tempt  under  circumstances 
functioning  in  a normal  mann 
as  malfunctions  will  occ 
microprocessor  or  other  syst 
necessary  to  access  the  micr 
gazine  to  perform  correctiv 
complished  using  the  manual 


ption  assumes  a legitimate  access  a t- 
when  all  components  of  the  CSSMRS  are 
er . This  may  not  always  be  the  cas^ 
asionally  occur  in  communications, 
em  components  and  it  will  then  be 
oprocessor  shelter  housing  or  the  ma- 
e maintenance  actions.  This  is  ac- 
override  mechanism. 


Override  Mechanism 


for  Electronic 


Loc  k 


Access  to  a magazine  under 
function  has  occurred  in  the  d 
the  electronic  lock  itself,  requir 
procedure  which  can  be  invoked 
safe  access  to  the  magazine  by  a 
minimum  compromise  to  the  secur 
unauthorized  adversary. 


circumstances  when  a mal- 
ata  link,  the  microprocessor  or 
es  that  there  be  an  override 
. This  procedure  must  permit 
uthorized  personnel  but  with 
ity  of  the  magazine  against  an 


It  is  believed  that  these  objectives  can  best  be  at- 
tained through  the  use  of  non-elec tronic  facilities  that  would: 
a)  require  a special  tool  to  operate,  and  b)  would  sound  a high 
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time 
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uld 
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om 
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ic  Sa 

f e/Arm 

dev  ic  e 

to 
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" Sa 

f e 

ver  te 

nt 

ac 

tua  t ion 

o f 

FEDS 

• 

tuation  was  started,  and  c)  would 
t be  completed  before  the  expira- 
terval  , and  d)  at  the  end  of  this 
y withdraw  the  bolt  of  the 
and  e)  would  force  the  electron- 
" position  to  prevent  the  inad- 
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nc 
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1 a 

r 
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pi 
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th 
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c 
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m 

ag 

azine 

d 

oor  . 

It 

wo  uld 
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t 

wo  uld 

be 

inse 

r 

ted 

eng 

ag 

e 

a sha 

ft 

enc 

losed 

by 

sha 

ft 

• 

Ro 

ta  t io 

nal 

s 

peed 

gal 

g 

ov 

er  nor 

a 

r r ang 

em  en 

t 

tha 

t which  could  be  used  to 
uld  be  mounted  on  the  interior  of 
actuated  by  means  of  a crank 
ugh  a sleeve  in  the  door  so  as  to 
sleeve  and  rotate  this 
be  limited  by  a centrifu- 
disengage  the  shaft  from 


be 
thro 
the 
wo  uld 
t would 


36 


the  mechanism  that  it  drives  if  the  crank  were  to  be 
rotated  too  rapidly.  The  shaft,  when  rotated  at  a suitably 
low  speed,  would  drive  a set  of  reduction  gears  that 
would  further  reduce  the  speed.  These  would,  in  turn,  drive  a 
lead  screw  that  would  move  a yoke  arrangement  that  would  pull 
the  bolt  of  the  electronic  lock  using  a flexible  metal  cable. 
Pulling  this  cable  would  also  actuate  the  valve  on  a 
compressed  nitrogen  cylinder  that  was  connected  to  an  air  operat- 
ed horn  to  sound  an  audible  alarm  long  before  the  bolt  is  with- 
drawn. 


A sketch  showing  one  way  that  such  a mechanism 
might  be  implemented  is  shown  in  Fig.  8.  This  sketch  is  in- 
tended only  to  illustrate  a concept;  it  is  not  a complete  en- 
gineering design. 

Item  A is  a casting  that  serves  as  the  major  frame  of 

the  device,  supporting  the  bearings  (not  detailed  on  the 

sketch)  and  other  major  components.  It  is  mounted  on  the  in- 
side of  the  magazine  door  (mounting  arrangements  not  shown) 
and  fitted  with  a protective  cover  (not  shown)  with  the  drive 
shaft,  B,  projecting  into  a metal  sleeve  through  the  door. 
A crank  may  be  inserted  into  the  sleeve  through  the  door  from  the 
outside  and  will  have  holes  that  will  mate  with  the  unsymmetri- 
cally  located  studs  on  the  end  of  B.  The  studs  on  shaft  B are 
intended  to  make  it  difficult  to  rotate  the  shaft  with  any 
thing  other  than  the  appropriate  crank  which  should  be  kept  in 
a secure  area  when  it  is  not  in  use. 

A deep  socket  wrench,  F,  is  normally  forced  to  engage 

the  hexagonal  section,  G,  as  a result  of  pressure  from  spring 

E.  This  socket  wrench  is  free  to  slide  on  the  square  section  of 
B above  the  spring,  E.  It  is  linked  to  three  governor 
weights,  D,  (only  one  is  shown  in  the  lower  view  of  the  sketch) 
which  are  securely  attached  to  the  shaft  by  collar,  C.  The 
size  of  these  governor  weights,  D,  and  the  rate  of  spring,  E,  are 
set  to  cause  disengagement  between  F and  G to  occur  at  any  rota- 
tional velocity  greater  than  about  one  revolution  per  second. 
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Figure  8 Override  Mechanism 

Rotation  of  shaft,  B,  at  an  acceptably  low  speed,  drives 
spur  gear,  H,  which  engages  another  spur  gear,  J,  furth- 
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Override  Mechanism 


er  r 

ed  uc ing 

the  rota 

tional  velo 

city  by  a 

factor  o 

f about 

ten  . 

This 

rotation 

is  tran 

si 

ated  throug 

h a right 

angle  by 

bevel  gears, 

K , to  d 

rive  a th 

re 

aded  shaft, 

L.  A spl it 

yo  ke  , M , 

is 

attached 

to  the  thread 

ed 

shaft,  and 

is  slowly 

moved  from 

the 

po  s i t i o n 

shown  i 

n the  ske 

tc 

h up  toward 

the  bevel  gears. 

The 

thread  s 

on  L 

are  under 

cut  at  the 

end  nearest 

to  K so 

tha  t 

excessi 

ve  crank 

ing  canno 

t 

drive  yo  ke  , 

M,  into  the  bearing 

support  adj 

acent 

to  Kb 

ut 

rather 

drops  M of 

f of  the 

thr  e 

aded  sec 

tion  of 

L when  th 

e 

undercut  is 

r eac  hed  . Th 

e yoke  is 

ke  pt 

roughl  y 

al ig  ned 

with  sha 

ft 

, L,  during 

its  travel  by  machined 

slot 

s in  the 

side  of 

bearing 

bl 

ock,  N,  whic 

h also  seats 

the  right 

hand 

end  o f 

shaft , 

L,  which 

i s 

supported  by  the  thrust 

bear ing  s , 

o,  t 

hat  are, 

in  turn 

, contain 

ed 

by  pi ug  , P. 

A flexible 

cable  is 

a 

ttached  to  the  yoke  at 

R . This 

cabl 

e actuates  the  v 

alve  on  a 

c 

ylinder  of 

dry  nitrog 

en  during 

the 

initia 

1 pa  r t 

o f the 

m 

ovement  of 

the  yo  ke  , 

r el  easing 

the 

gas  to 

blow  a 

n air  ho r 

n . 

The  cylinder  valve 

is  pulled 

by 

a branch 

cable 

that  is 

s 

pi  iced  into 

the  mai 

n cable. 

Ther 

e i s a 

spring  i 

n series 

wi 

th  this  branch  cable  tha 

t permits 

mo  t i 

on  of  the  main 

cable 

to 

be  readily 

continued 

after  the 

1 im  i 

t of 

travel 

of  the 

n i 

trogen  cyli 

nder  valve 

has  been 

reac 

hed  . 

The  main 

cable 

i s 

attached  to 

the  bolt 

of  the 

(normally  electrically  actuated)  solenoid  lock  and  its  length  is 
such  that  the  bolt  will  be  pulled  clear  of  the  strike  just 
before  the  magnet,  T,  on  the  side  of  the  yoke,  M,  reaches  and 
actuates  the  sealed  reed  relay,  U.  When  reed  relay,  U,  is 
actuated,  this  forces  the  electrical  Safe/Arm  switch  to  the 
safe  position  disabling  the  FEDS  and  also  provides  a signal  to 
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a utho  r 

i zed 

pe 

r so 

nnel 
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king  acce 

ss  that  the 

over 

r id  e 

pr  o- 

cedure  has 
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compl  e ted 

• 

Reset  o 
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ov 
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e mechani 
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that 
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the  thr 
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tt  ing 
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Then 
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sc  r ews 

retig 

hte 

ned 

• 
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ec  han ic  al 
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id  e 
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ly  powered 
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to 

authorized  personnel  when  the  operation  had  been  completed,  and  a 
tamper  alarm  should  be  incorporated  together  with  a pressure 
operated  alarm  to  signal  low  gas  pressure  in  the  storage  tank. 

Fig.  9 shows  an  artists  conception  of  the  installation  of 
an  override  mechanism  on  a magazine  door. 
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Since 

it  will  be 

nec 

essar y 

to  use  the  override  mecha 

n i sm 

when 

th 

ere 

has 

been  a fa 

il  ur 

e in  e i 

ther 

the  communications  or 

m i- 

cro  pr 

oc 

esso 

r c 

apabilitie 

s a 

t 

a RU, 

the 

normal  procedures  for 

es- 

tabl  i 

sh 

ing 

an 

access 

wi  1 

1 

not  be 

ava 

liable.  As  a conseque 

nce  , 

the  m 

om 

en  t 

tha 

t service 

i s 

r 

esto  r ed 

by 

the  repair  crew,  se 

nsor 

al  arm 

s 

will 

be 

reported 

to 

the  CU  a 

nd  d 

isplayed  at  the  Guard 

Con- 

trol 

Sta  t io 

ns . 

Local  o 

per 

a 

t ional 

pro 

cedures  must  accommodate 

this. 

Fo  r 

example,  the 

1 oc 

a 

tion  of 

the 

RU  where  the  override 

ac- 

tion  is  planned  is  known  in  advance  to  the  guard  forces  and  the 
appropriate  alarm  indicators  can  be  marked  using  a grease  pencil 
or  liquid  chalk  or  other  easily  removable  marking  method.  In  ad- 
dition, the  repair  crew  might  be  given  an  electronic  key  loaded 
with  a random  number  having  a long  lif 
to  be  still  valid  after  the  passage 
repairs.  Then,  when  service  had  been  restored, 
personnel  could  telephone  the  Guard 
through  the  normal  access  procedure  con' 
to  an  access  status  on  the  appropriate  < 
the  Guard  Control  Station.  This  would 
benefit  of  testing  the  electronic  lock. 
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add 
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Safe/Arm  Provisions  for  FEDS 

The  FEDS  must  be  configured  in  a RU  in  such  a way  that 
they  can  be  quickly  and  reliably  actuated  when  they  might  be 
needed  in  an  emergency,  but  protected  against  accidental  or  unin- 
tended firing.  It  should  be  nearly  impossible  for  FEDS  to  be  ac- 
tuated as  a consequence  of  activities  conducted  in  the  course  of 
authorized  accesses  to  a protected  area,  or  as  a result  of  deli- 
berate harassment  efforts  on  the  part  of  an  adversary.  There 
should  also  be  a very  high  probability  that  they  will  be  actuated 
if  an  adversary  succeeds  in  penetrating  the  protected  area. 


whe 

ther  or  not  the  RU  affected 

has  been  cut  off 

and 

canno  t 

com- 

mun 

icate  with  the  CU.  Fig 

. 10 

i s 

a simpl if ied 
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d iag  ram 
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wing  the  Safe/Arm  ar 
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thr 
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r 
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FED. 

Both  of  the  Safe/Arm  switc 
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be  in  the  "Arm 

" po  s 

i t 

ion , 

and 
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appropriate  fire  contr 

ol  swi 

tc 

h must  be  actua 

ted  i 

n 

o rd  er 

for 

the 

squib  of  the  selected 

FED  to 
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1 ow 
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al  amperes  magn 
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• 

Normally,  when  a m 

ag  a zin 

e 

is  in  a sec 

ur  e 

sta  te  , 
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electrical  Safe/Arm  switch  is  in  the  "Safe"  position  and  the 
manually  controlled  Safe/  Arm  switch  is  in  the  "Armed"  position. 
If  a sensor  alarm  occurs,  the  RU  reports  it  to  the  CU  in  response 
to  the  next  poll.  It  is  then  reported  and  displayed  at  the  Guard 
Control  Station  where  it  is  acknowledged  and  assessed.  If,  as  a 
result  of  the  assessment,  the  guard  determines  that  there  is  a 
valid  threat,  he  may  elect  to  actuate  the  FEDS.  He  does  this  by 
first  commanding  that  the  FEDS  be  armed.  This  is  done  by  means 
of  a message  from  the  CU  to  the  RU  that  switches  the  electrically 
controlled  Safe/Arm  switch  to  the  "Armed"  position.  The  guard 
then  actuates  function  keys  that  direct  the  firing  of  the  FEDS 
and  the  resulting  message  from  the  CU  to  the  RU  actuates  the 
proper  fire  control  switches. 

The  foregoing  assumes  that  assessment  is  a prerequisite 
to  actuation  of  a FED  because  only  a single  alarm  has  been  trig- 
gered and  this  could  have  been  caused  by  malfunction  or  some 
nuisance  event  rather  than  by  an  adversary.  This  uncertainty 
would  not  exist,  however,  if  several  different  types  of  sensors 
protecting  the  area  were  to  be  alarmed  in  the  proper  sequence. 
For  example,  if  the  magnetic  switch  on  the  door  of  a magazine 
were  to  become  alarmed,  followed  immediately  by  an  alarm  from  a 
sensor  of  visible  light  located  inside  the  magazine,  followed  in 
turn  by  an  alarm  from  a motion  sensor  located  inside  the  maga- 
zine, there  would  be  a high  order  of  certainty  that  the  door  of 
that  magazine  had  been  opened,  admitting  both  light  and  someone 
who  was  moving  around  inside.  Under  these  circumstances,  the  CU 
would  be  programmed  to  arm  and  fire  FEDS  without  waiting  for 
guard  assessment  and  action.  Further,  in  the  event  communication 
between  the  CU  and  the  RU  had  been  cut  off,  the  RU  would  be  pro- 
grammed to  take  the  same  actions  autonomously  and  fire  the  FEDS 
on  the  basis  of  the  alarms  from  this  special  sensor  group. 


When  authorized  access  to  an  RU  occurs,  the  random 
numbers  transmitted  to  the  electronic  lock  and  loaded  into  the 
electronic  key  match  when  the  key  is  plugged  into  the  lock  recep- 
tacle. This  actuates  the  solenoid  that  opens  the  bolt  of  the 
lock.  Normally  the  personnel  making  the  authorized  access  would 
now  open  the  door,  enter  the  magazine  and  proceed  to  the  manually 
operated  Safe/Arm  switch  to  throw  it  to  the  "Safe"  position  as 
their  first  act  after  entry.  If  however,  communications  between 
the  RU  and  the  CU  should  fail  between  the  time  that  they  had  en- 
tered the  magazine  and  the  time  that  the  manually  operated  switch 
had  been  placed  in  the  "Safe"  position,  the  special  sensor  group 
described  above  would  be  alarmed  and  the  RU  would  autonomously 
fire  the  FEDS  unless  prevented  from  doing  so  by  other  means. 
Such  a means  is  invoked  for  the  safety  of  authorized  personnel. 
The  fact  that  the  electronic  lock  has  been  operated  as  a result 
of  a match  in  the  random  numbers  is  logically  combined  with  the 
RU  computer's  attempt  to  arm  the  electrically  controlled  Safe/Arm 
switch  to  start  a timer  which  will  delay  the  arming  command  for 
30  seconds  and  will  sound  a warning  horn  for  this  period.  This 


42 


delayed  firing  sequence  can  be  stopped  by  either  of  two  actions. 
The  manually  operated  Safe/Arm  switch  can  be  placed  in  the  "Safe” 
position  (which  releases  the  solenoid  actuated  bolt)  or  the  per- 
sonnel can  retreat,  closing  the  magazine  door  and  removing  the 
alarm  causing  conditions.  If  the  latter  course  of  action  occurs, 
the  matching  signal  from  the  electronic  lock  is  reset  automati- 
cally by  the  rundown  of  a timer  that  was  started  at  the  time  that 
the  lock  was  opened. 

In  instances  when  access  is  made  after  using  the  mechani- 
cal override  to  the  electronic  lock  (required  in  the  event  of 
failure  of  certain  RU  components)  , the  electrical  Safe/Arm  switch 
is  positively  forced  to  the  "Safe"  position  and  any  computer  com- 
mands to  the  contrary  are  inhibited.  The  "Safe"  condition  of  the 
electrical  Safe/Arm  switch  is  annunciated  when  the  override 
mechanism  has  been  actuated  to  the  end  of  it's  cycle. 
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Figure  10  Safe/Arm  Switch  Arrangement 

just  as  the  first  act  on  entering  a protected  area  is  to 
place  the  manually  operated  Safe/Arm  switch  to  "Safe",  the  last 
act  before  leaving  is  to  switch  it  back  to  "Armed" . This  action 
starts  a 30  second  timer.  The  timer  actuates  the  solenoid  of  the 
locking  bolt,  permitting  the  door  to  be  closed,  and  inhibits  any 
command  from  the  computer  to  arm  the  electronic  Safe/Arm  switch. 
This  provides  personnel  the  same  protection  against  the  loss  of 
communication  during  exit  that  they  received  during  entry.  The 
warning  horn  is  again  sounded  if  communication  loss  should  occur 
prior  to  rundown  of  the  timer  and  exit  of  the  personnel. 

Three  voltage  sensing  points  are  provided  in  the  arrange- 
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merits  and  these  can  be  used  with  appropriate  computer  commands  to 
test  the  power  source  used  for  firing  FEDS,  to  test  the  continui- 
ty of  each  of  the  FEDS  squibs  and  to  ascertain  the  position  of 
each  of  the  two  Safe/  Arm  switches.  Additional  details  reqarding 
the  circuitry  of  the  Safe/  Arm  system  may  be  found  in  the  Appen- 
dix . 

Mic  roprocessor 

The  microprocessor  that  is  a part  of  each  RU  must  be 
selected  to  be  reliable  and  to  be  tolerant  of  environmental  vari- 
ations, particularly  temperature  extremes.  It  should  be  economi- 
cal in  power  requirements  and  should  function  properly  in  spite 
of  modest  variations  in  supply  voltage.  Complementary  metal  ox- 
ide semiconductor  (CMOS)  fabrication  techniques  yield  devices 
that  meet  these  requirements  and  are  recommended  for  this  appli- 
cation. All  programs  should  be  stored  in  read  only  memory  (ROM) 
while  static  random  access  memory  (RAM)  is  provided  for  variable 
data  . 

The  Remote  Unit  computer  can  assume  any  one  of 
nine  possible  states.  These  are: 

Initial  State 

Secure  State  Normal 

Alarm  State  Normal 

Arm  FEDS  State  Normal 

Fire  FEDS  State  Normal 

Secure  State  Autonomous 

Alarm  State  Autonomous 

Arm  FEDS  State  Autonomous 

Fire  FEDS  State  Autonomous 


Autonomous  states  are  entered  if  no  communication  exists 
between  the  RU  and  the  CU. 

The  program  occupies  only  one  "state"  at  a time,  although 
many  activities  may  be  carried  on  while  in  each  state.  Programs 
are  modular  in  form  to  facilitate  both  documentation  and  possible 
future  modification. 

The  operating  system  and  all  of  the  program  modules  are 


45 


based  on  cyclic  polling  of  inputs  rather  than  being  interrupt 
driven.  The  programs  shall  contain  at  least  the  following 
mod  ul es : 

Initialization.  This  shall  consist  of  those  functions 
that  are  necessary  to  bring  the  microprocessor  at  the  RU  up  from 
the  power-off  condition  to  the  Secure  State  Normal. 

Polling  Sensors  and  Electronic  Lock.  The  status  of  each 
sensor  and  the  electronic  lock  shall  be  polled  in  a cycle  which 
is  never  to  exceed  80  ms  and  which  is  to  be  started  immediately 
following  a response  to  a poll  command  from  the  CU.  When  an 
alarm  condition  is  detected  from  any  sensor,  a special  area  in 
RAM  (called  the  Status  Report)  is  updated  with  the  sensor  identi- 
ty number;  a Status  Change  flag  is  set  to  control  the  type  of 
response  made  to  the  next  poll  by  the  CU;  the  State  is  changed 
from  Secure  State  Normal  to  Alarm  State  Normal.  An  incorrect  at- 
tempt to  operate  the  electronic  lock  is  considered  an  alarm  con- 
dition. 


Responding  to  Commands  from  the  CU.  The  microprocessor 
at  the  RU  begins  to  monitor  a poll  time  window  80  milliseconds 
after  the  last  poll  was  received,  and  continues  to  monitor  this 
window  until  the  next  poll  is  received  or  until  220  ms  additional 
time  passes,  whichever  occurs  first.  If  the  poll  is  received 
within  the  poll  time  window,  the  frame  is  accepted,  if  correct, 
and  acted  upon.  A UI  command  is  acknowledged  and  the  instruc- 
tions in  the  information  field  are  executed.  A UP  command  causes 
a UI  response  with  the  Status  Report  contained  in  the  information 
field.  A PN  command  causes  a UA  response  if  the  status  change 
flag  has  not  been  set  and  a UI  response  with  the  change  informa- 
tion if  it  has  been  set.  An  APN  or  UI  frame  must  be  received  as 
the  next  command  following  this  response.  If  the  poll  is  not  re- 
ceived within  the  poll  window  (0.3  second  since  the  last  poll) 
the  Autonomous  Mode  Normal  State  is  entered.  In  the  Autonomous 
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Central  Computer  Complex 


The  Central  Computer  Complex  is  to  consist  of  the  follow- 
ing elements: 

Central  Computer  (triply  redundant) 

Communications  Microprocessors 
(one  per  CROSSFIRE  loop) 


Reliability  Considerations 


An  exceptionally  high  degree  of  reliability  in  the  Cen- 
tral Computer  is  essential  to  an  acceptable  level  of  performance 
of  the  CSSMRS.  If  an  RU  fails,  a guard  can  be  posted  at  the  pro- 
tected area  until  service  can  be  restored.  Failure  of  a communi- 
cations microprocessor  poses  more  of  a problem,  but  even  this 
sort  of  failure  temporarily  disables  only  a small  portion  of  the 
physical  security  system  at  a site.  Failure  of  a Guard  Control 
Station  causes  inconvenience,  but  the  second  Guard  Control  Sta- 
tion is  available  to  maintain  the  continuity  of  security  surveil- 
lance. Total  failure  of  the  Central  Computer,  however,  would  have 
a major  impact  on  the  site  security  posture,  and  every  effort 
must  be  made  to  minimize  the  possibility  that  this  could  occur. 

This  sort  of  reliability  requirement  is  neither  new  nor 
unique.  It  exists  in  many  computerized  applications  that  range 
from  airline  reservation  systems  through  on-line  process  control 
systems  such  as  are  used  with  nuclear  power  generating  plants  to 
manned  space  flight  systems.  The  general  solution  to  the  problem 
involves  the  use  of  redundant  computer  systems  with  the  tech- 
niques for  the  application  of  the  redundancy  and  the  associated 
trade-offs  between  hardware  and  software  complexity  often  being 
application  dependent.  For  example,  one  approach  (selected  for 
CSSMRS)  involves  the  simultaneous  processing  of  the  same  data  by 
multiple  computers  and  the  periodic  intercomparison  of  results  to 
ascertain  that  agreement  exists.  Another  technique  that  is  some- 
times employed  where  a slight  delay  is  tolerable,  is  for  the 
backup  processor  to  reconstruct  the  current  status  working  from  a 
backup  data  base  that  is  as  current  as  feasible.  The  first  ar- 
rangement is  used  in  the  manned  space  shuttle  flight  control  com- 
puter. Redundant  processors  work  in  parallel  and  their  results 
are  compared  several  hundred  tinfes  per  second.  Because  of  slight 
differences  in  processing  rates  strict  software  precautions  must 
be  invoked  to  insure  that  each  of  the  computers  is  operating  on 
identical  input  data.  If  one  computer  received  as  input,  data 
that  had  just  been  modified  by  the  processing  of  another  of  the 
computers,  their  outputs  could  not  agree.  Frequent  pauses  are 
necessary  to  ensure  that  each  processor  has  caught  up  with  the 
others.  Problems  of  this  type  are  aggravated  by  electromechanical 
computer  components  such  as  rotating  memory  units.  Indeed,  these 
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electromechanical  devices  are  themselves  far  more  susceptible  to 
failure  than  are  solid  state  memory  components. 


Failures  in  computer  systems  can  result  from  either 
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Central  Computer 


A block  diagram  of  the  Central  Computer  is  shown  in  Fig- 
ure 11.  The  major  elements  are  three  computers.  Computer  A,  Com- 
puter B and  Computer  C.  These  computers  are  to  be  driven  by  a 
common  clock  and  are  to  have  identical  programs.  At  some  time 
during  each  clock  period  there  is  to  be  a time  when  the  informa- 
tion on  all  high  speed  buses  is  identical.  This  identity  is  to 
be  checked  by  a set  of  comparators  once  per  clock  period.  These 
comparators  are  to  have  output  means  which  identify  a computer 
whose  buses  are  not  identical  to  at  least  one  other  computer.  In 
Figure  11  these  output  means  are  shown  as  three  wires  "A"  BAD, 
" B"  BAD,  and  " C"  BAD.  A Resynch  Controller  (not  shown  in  Figure 
11)  provides  certain  necessary  control  signals  during  a resyn- 
chronizing operation. 


All  information  passing  from  the  three  computers  to  out- 
put ports  is  to  pass  through  gating  such  that  only  information 
from  the  two  "OK"  computers  is  passed  to  the  output  ports.  These 
gates  provide  the  capability  of  continuing  to  output  the  informa- 
tion generated  by  the  two  computers  which  are  in  agreement,  even 
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Figure  11  Triply  Redundant  Central  Computer 


Program  Modules  of  the  Central  Computer 

The  Central  Computer  Program  is  to  consist  of 
Operating  System  and  the  following  Program  Modules: 


an 
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Initial ization 

Re  sync  hr on i za tion 

RU  Status  Update 

Status  Change  Dissemination 

Geographical  Display  Unit  Driver 

Guard  Operating  Panel  Indicators  Driver 

Digital  Display  Unit  Driver 

Logging  Printer  Driver 

Guard  Control  Station  Monitoring 

Independent  Reaction 

Assessment  Patching 

Guard  Login/Logout 

Random  Guard  Assignment 

Access  Control 

Sensor  Testing 

FEDS  Testing 

Environmental  Correlation 
Communication  Monitoring 
Self  Testing 

Response  Forces  Alerting  Driver 
Augmentation  Forces  Communications  Driver 


Initialization  Module 

Each  of  the  three  redundant  computers  is  to  have  its  own 
independent  power  supply  and  backup  power  supply.  At  time  of 
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with  the  o 

ther 

com 

put 

ers, 

a hardware 

fail 

ure  is  assumed,  and  no 

ti f icat ion 

i s 

g iv 

en 

to 

the  Guard 

Fo  rc 

e that  a repairman  is  to 

be  c al 1 ed . 

The 

sys 

tern 

then 

continues 

wi  th 

two  computers. 

The 

Operating 

Sys  t 

em  is  to  provide  at  appr 

ox  imatel y 

one 

sec 

ond 

intervals  an 

opportunity  to  enter  the  Res 

ynchroni za 

tion 

Mod 

ul  e 

. Thi 

s time  is  c 

ailed  the  All  OK  Check  Time. 

If  , at 

this 

che 

c k 

time 

, one  o 

f the  Computer  OK  lines  is  do 

wn  ( ind  ica 

ting 

tha 

t there 

has  been  some  c 

omputer  disagreement  si 

nee  the 

1 ast 

Che 

c k 

Time 

) the  oper 

ating  system  is  to  enter  the 

Resync  hr on 

i za- 
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tion  Module.  If  no  Computer  OK  lines  are  down,  the  Operating  Sys- 
tem skips  the  Resynchronization  Module. 


Upon  en 

ter  i 

ng  the  Re  sync  hr on i za t 

ion 

Mod  ul  e , 

contr o 

1 is 

pa 

ssed 

to  the 

Res 

ynch  Controller,  whic 

his 

central 

to  al  1 

three 

comput 

e r s . The 

first  step  is  to  mask  all 

poss 

ible  in 

ter  r upts 

from 

outsid 

e source 

s . 

Assume  that  Computer 

A ha 

s had  a 

d isag  re 

emen  t 

wi 

th  Computers 

B and  C.  The  Resynch  Cont 

rol  1 e 

r sets 

B and  C 

to  a 

WA 

IT 

cond  i tion 

. The  next  step  is  for  Comput 

er  A to 

take  co 

ntr  ol 

of 

Com 

puter  B's 

hig 

h speed  buses.  Comput 

er  A 

is  to  then  copy 

the 

CO 

n ten 

ts  of  all 

o f 

the  RAM  located  in  Compute 

r B.  Upon  com pi 

e t ion 

o f 

th  i 

s task  Comput 

er  A notifies  the  Res 

ynch 

Control 

ler  and 

goes 

in 

to 

a WAIT  s 

ta  te 

. the  Resynch  Control 

ler  then  rem 

oves  the 

WAIT 

CO 

nd  i t 

ion  from 

all 

three  computers  and  v 

ec  to  r 

s them 

to  the 

syn- 

ch 

roni 

zed  exit 

from 

the  Resynchronizatio 

n Mod 

ul  e . 

If  Computer 

B is  the  nonconforming  un 

it,  the 

n Comput 

er  B 

CO 

pies 

RAM  f r 

om 

Computer  C.  If  Comput 

er  C 

i s the 

nonconfo 

rm  ing 

un 

it , 

Computer 

C is 

to  copy  RAM  from  Com 

puter 

A. 

RU  Status  Update  Module 

This  module  is  to  receive  status  information  about  each 
Remote  Unit  and  to  update  the  RU  Status  Memory  if  status  has 
chang  ed . 

During  normal  communication  load  conditions,  the  module 
shall  poll  each  of  the  Communications  Microprocessors  (CM)  at  a 
rate  such  that  all  CMs  are  read  within  an  80  millisecond  period. 
Since  the  CMs  are  to  act  as  information  buffers,  each  polling 
will  result  in  the  Central  Computer  receiving  a complete  report 
on  all  the  changes  occurring  in  any  reportable  items  at  all  the 
Remote  Units  reporting  to  that  Communications  Microprocessor. 
Following  a poll  in  which  no  RUs  reported  changes,  a Communica- 
tions Microprocessor  Summary  Report  will  state  that  each  RU  has 
been  contacted  and  that  the  status  of  no  RU  has  changed.  Under 
such  conditions,  this  program  module  does  not  change  the  data  in 
the  RU  Status  Memory. 

Included  in  the  report  from  the  CM  to  the  Central  comput- 


er is  a CROSSFIRE  Communication  Loss 
words  is  associated  with  each  RU  and 
polls  that  that  particular  RU  has 
response  from  that  RU  to  the  CM.  This 
bits  as  follows : 


Word  (CCLW) . One  of  these 
indicates  the  number  of 
missed  since  the  last  good 
word  is  to  consist  of  two 


00  - No  polls  missed 

01  - One  poll  missed 

10  - Two  polls  missed 

11  - More  than  two  polls  missed 
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In  keeping  with  the  general  principle  of  reporting 
changes  only,  this  CROSSFIRE  Communication  Loss  Word  needs  to  be 
included  in  the  summary  message  from  CM  to  Central  Computer  only 
for  those  specific  RUs  for  whom  the  CCLW  has  changed.  This  oc- 
curs whenever  one  or  more  polls  have  been  lost. 


The  CROSSFIRE  Communication  Loss  Word  is  to  be  used  in 
the  Communications  Monitoring  Module. 


The  RU  Status  Memory  is  to  consist  of  two  bytes  for  each 
Remote  Unit  in  the  CSSMRS.  The  format  for  information  within 


^tes  are 

as 

fol 

lows  : 

Byte  1 

Bit 

1 

Communication  Loss  Word 

II 

Bit 

2 

99  91  91 

II 

Bit 

3 

Sec  ur e/Al arm 

II 

Bit 

4 

No  Access/ Access 

96 

Bit 

5 

Sa  fe/ Arm 

96 

Bit 

6 

Number  of  FEDS  sets  fired 

96 

Bit 

7 

II  II  II  91  91 

91 

Bit 

8 

99  99  II  91  99 

Byte  2 

Bit 

1 

Normal  power/Backup  power 

69 

Bit 

2 

All  sensors  OK/not  OK 

16 

Bit 

3 

All  FEDS  OK/not  OK 

91 

Bit; 

s 4 

through  8 available  as  spares. 

The  messages 

transmitted  from  the  Communications 

Mi- 
croprocessors to  the  Central  Computer  are  to  be  sent  via  dedicat- 
ed First-In-First-Out  buffers  (FIFO)  to  act  as  load  levelers. 
Each  message  from  a CM  to  the  Central  Computer  is  to  consist  of  a 
summary  of  the  entire  last  polling  cycle  of  the  loop  of  RUs  which 
it  is  responsible  for.  This  summary  is  to  be  organized  by  Sensor 
type;  under  each  Sensor  type  which  had  a change,  the  specific  RU 
number  having  such  an  alarm  is  listed. 

Each  of  these  messages  will  have  as  a part  of  it  a Poll 
Period  Word  (PPW) .The  PPW  is  to  consist  of  two  bits;  if  the  last 
poll  conducted  by  the  Communications  Microprocessor  was  completed 
within  the  normal  poll  cycle  time,  the  time  word  is  00.  The  com- 
plete code  for  time  words  is  as  follows: 


54 


00 

- Completed 

between 

0 . 0 and 

0 

. 1 

sec  . 

01 

- Completed 

between 

0.1  and 

0 

. 2 

sec  . 

10 

- Completed 

between 

0.2  and 

0 

. 3 

sec  . 

11 

- Completed 

in  more 

than  0. 

3 

sec 

• 

The 

PPW  is 

to 

be  used  as  additional 

input 

i n fo  rm 

at  i 

on 

to 

the 

Env  i 

r onmen  tal 

Cor 

r el  at 

ion  Mod ul 

e . 

The 

Commun 

ica 

t ion 

Mic  ropro 

cesso  r ' s 

f i 

rmwar  e 

i 

s 

to 

be 

des 

ig  ned 

in 

sue h a 

wa 

y tha 

t,  during 

times  o 

f ab 

normal 

ly 

h ig 

h 1 

ev- 

el  s 

o f c 

ommun icat i 

on  , 

the 

loop  poll 

ing  cycl 

es  m 

ay 

i nc 

rea 

se 

beyond 

100 

mil 

1 i second  s . 

An  ab 

no  rmal 1 y 

high  lev 

el  o 

f c 

omm 

un  i 

cat 

ion 

i s 

de  f 

ined 

as 

being 

m 

ore 

than  100 

al  arms 

be 

ing 

r 

epo 

r ted 

per 

CROSSFIR 

E loop  per 

poll  ing 

c yc  1 e . 

Sii 

m il ar 1 y , 

the  firm 

wa  r e f o r 

the 

RU 

Stat 

us 

Update 

Mod  ul  e 

is 

al  so 

to 

be  desig 

ned  in 

s 

uc  h a wa 

y tha 

t , 

d ur  i 

ng 

times  o 

f abnor- 

mal 

ly  h 

ig  h 

levels  o 

f commun 

ic  a t ion 

be  twe 

en 

the 

Central 

Computer 

and 

th 

e 

Commun  ica 

tion  Mi 

c 

roprocessors , 

th 

e po 

11 

ing  cycl 

e of  the 

CMs 

by 

the 

Central 

Compute 

r 

shall  b 

e all 

owed  to 

1 

eng  then  . 

Wh 

en  any  re 

po  r tabl 

e 

status 

c hang 

e i 

s po  s 

ted  to 

the  RU 

S ta 

tus 

Memory,  the 

number 

of  that 

RU  is 

al 

so  sto 

red  in  a 

po  r t i o n 

of  memory  called  the  Change  File. 


Status  Change  Dissemination  Module 


The 

pur 

to 

o ut 

put  a 

ny 

the 

Guard  Co 

ntr 

The 

Sta 

tig 

ate 

the 

Ch 

had 

any 

chang  e 

cal 

1 ed  , 

the 

Mod 

Mem 

ory . 

The 

Mod 

the 

typ 

e of 

sta 

Cor 

r el  a 

tion 

Mod 

to 

the 

Geog  r a 

Pan 

el  Indica 

to  r 

Geog  raphic  al 

Di 

The 

pur 

RU  Status 


1 s 
to 


tus  Change 
ange  File, 
in  status 
ule  reads 
ule  firmwa 
tus  change 
ule,  as  to 
phical  Di 
s (GOPI ) , 


Dissemination  Module  is  to  first  inves- 
If  the  Change  File  shows  that  an  RU  has 
since  the  last  time  this  Module  was 
the  Status  of  that  RU  from  the  RU  Status 
re  is  to  then  make  a decision,  based  on 
and  on  the  output  of  the  Environmental 
whether  the  information  is  to  be  sent 
splay  Unit,  the  DDU,the  Guard  Operating 
the  Logging  printer,  or  all  four. 


se  of  the  Geographical  Display  Unit  Driver 
Module  is  to  accept  data  from  the  Status  Change  Dissemination 
Module  and  illuminate  appropriate  indicators  on  the  Geographical 
Display  Unit.  The  Geographical  Display  Unit  Driver  Module  is  to 
reside  in  a microprocessor  dedicated  to  this  task.  The  Geograph- 
ical Display  Unit  Microprocessor  drives  hardware  lamp  drivers. 
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See  Section  on  Geographical  Display  Unit  for  details. 

The  Geographical  Display  Unit  Driver  Module  is  to  be  able 
to  accept  up  to  512  indicator  changes  per  second.  For  changes 
which  require  a guard  acknowledgement,  these  indicators  are  to 
flash  under  Driver  control  until  such  acknowledgement  is  made. 

Two  indicators  per  RU  are  to  be  serviced.  One  of  the  in- 
dicators is  to  be  yellow,  indicating  that  an  authorized  access  is 
in  process.  The  other  indicator  is  to  be  red,  indicating  that  the 
RU  has  at  least  one  alarm  condition. 


Guard  Operating  Panel  Indicator  Driver  Module 

This  module  accepts  inputs  from  the  Status  Change  Dissem- 
ination Module,  and  it  outputs  steady  or  flashing  commands  to 
specific  hardware  lamp  drivers. 


Digital  Display  Unit  Driver  Module 

The  purpose  of  this  module  is  to  provide  the  coupling 
between  modules  of  the  program  and  the  Digital  Display  Unit. 

Under  normal  operating  conditions  this  module  accepts  in- 
puts only  from  the  following  Modules: 

Status  Change  Dissemination 
Independent  Reaction 
Assessment  Patching 
Random  Guard  Assignment 
Access  Control 
Sensor  Testing 
FEDS  Testing 
Env ir onmen  tal 
Communication  Monitoring 
Sel f-Test ing 


At  certain  times  the  system  will  be  under  control  of  a 
computer  programmer  or  repairman,  who  is  to  be  called  the 
Analyst.  This  module  is  to  be  capable  of  receiving  inputs  from 
every  module  and  the  Operating  System  when  the  Central  Computer 
is  under  control  of  the  Analyst. 

The  output  of  this  module  is  sent  to  the  Digital  Display 
Units  located  within  the  Guard  Control  Stations. 


This  module  shall  have  the  capability  of 
formation  coded  in  various  digital  formats  into 


converting  in- 
strings of  ASCII 
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characters  which  form  easily  understood  English  phrases  and  sen- 
tences. ROM  capacity  for  1000  phrases  averaging  64  characters  per 
phrase  shall  be  provided. 

Physically,  the  character  information  is  to  be  sent  to 
the  Digital  Display  Unit  at  a speed  of  at  least  2400  bits  per 
second  . 

Logging  Printer  Module 

With  the  exception  of  test  data,  this  module  is  to  accept 
all  the  information  generated  by  the  Digital  Display  Unit  Driver 
Module,  convert  it  into  a format  suitable  for  printing  on  a hard 
copy  printer,  and  deliver  this  information  at  a rate  of  at  least 
2400  bits  per  second  to  the  printers  located  within  the  Guard 
Control  Stations. 

With  respect  to  test  data  on  Sensors  and  FEDS,  only  those 
tests  which  show  changes  in  the  operational  condition  shall  be 
logged  . 

The  log  is  to  contain  all  information  about  any  changes 
in  state  of  the  CSSMRS,  including  all  messages  sent  to  guards  and 
all  orders  given  by  guards  which  are  not  purely  verbal. 


Guard  Control  Station  Monitoring  Module 

This  module  is  to  accept  all  information  generated  by  the 
Guard  Control  Stations  and  disseminate  this  information  to  the 
appropriate  program  module  or  peripheral  device. 

Function  Switches  to  be  monitored  within  the  GCSs  are  to 
be  the  following: 

Ten  Digit  Keypad 

Ac  knowl  edge 

Location  Select 

Two  Digit  Code  Lifetime 

Code  Key 

Code  Master  Key 

Access 

Master  Access 
Sec  ur e 
Arm  FEDS 
Safe  FEDS 
Fire  FEDS 
Confirm 
Cancel 
TV  On/Off 
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Lights  On/Off 
TV  Bad/OK 

Pan,  Tilt  & Zoom  Controls 

Test  Sensors 

Test  FEDS 

Test  HQ  Links 

Guard  Login 

Guard  Logout 

Summon  Response 

Summon  Augmentation 


The  Ten  Digit  Function  Switch  Pad  output 
buted  to  the  Location  Selected  Register  and  to 
Mod  ul  e . 


is  to  be  distri- 
the  Login/Logout 


The  Acknowledge  Function  Switch  information  is  to  be  made 
available  to  the  Status  Change  Dissemination  Module,  which,  in 
turn  delivers  the  information  to  the  driver  modules  for  the  Geo- 
graphical Display  Unit,  the  GQPI , the  DDU , and  the  Logging 
Printer.  It  is  also  to  be  made  available  to  the  Independent  Reac- 
tion Module 

Information  from  the  Location  Select  Function  Switch  and 
the  Function  Switch  Pad  is  to  be  stored  in  the  Location  Selected 
Register.  This  information  is  used  to  govern  the  Remote  Unit  to 
which  many  of  the  guard  commands  are  directed. 

The  Two  Digit  Code  Lifetime  switch  is  used  to  indicate 
the  period  of  time  during  which  a random  number  that  is  assigned 
to  an  electronic  key  will  be  valid.  The  time  is  expressed  in  in- 
crements of  10  minutes  each  and  the  maximum  lifetime  that  is  al- 
lowable for  any  single  random  number  key  code  is  640  minutes  (10 
hours  and  40  minutes)  . 


The  Code  Key  Function  Switch  together  with  the  Ten  Digit 
Keypad  and  the  Location  Select  Function  Switch  is  used  to  load  a 
random  number  into  a single-use  electronic  key  and  to  store  that 
same  number  for  subsequent  transmission  to  the  designated  RU. 
This  number  is  erased  from  memory  after  it  has  been  successfully 
received  by  the  RU. 


The  Code  Master  Key  Function  Switch  is  used  in 


manner 


analogous  to  the  Code  Key  Function  Switch  except  that  it  is  used 


to  1 

oad 

the 

ke 

y into  a 

maste 

r el 

ec  tr 

on  ic  1 

ock 

ke 

y / 

and  the 

r and  om 

numb 

er 

i s 

no 

t erased 

from  ! 

memo 

ry  a 

f ter  t 

r an 

sm  i 

ssi 

on  to  a 

single 

RU; 

i t c 

an 

be 

tr ansm it 

ted  to 

m ul 

tipi 

e RUs 

up 

to 

the 

1 im  i t 

of  its 

life 

time 

• 

The 

Ac 

cess  Fun 

c tion 

Swi  tc  h , 

tog  eth 

e r 

wi 

th 

the  Location 

Sel  e 

c ted 

Reg  i 

ster  pr 

ov  ides 

i n 

fo  rm 

at  ion 

to 

the 

Status 

Chang  e 

Di  ss 

em  in 

a t i 

on 

Mod  ul  e . 

It  is 

used 

with  a o 

ne- 

t im 

e-u 

se  electronic 
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key  for  making  an  access  to  a single  designated  RU. 

The  Master  Access  Function  Switch  is  similar  in  operation 
to  the  Access  switch,  but  is  used  with  a master  electronic  key. 

Information  from  the  Secure  Function  Switch,  together 
with  the  Location  Selected  Register,  is  to  be  provided  to  the 
Status  Change  Dissemination  Module  for  the  purpose  of  informing 
the  CU  that  access  to  a particular  RU  is  terminated;  or  that  an 
alarm  condition  is  to  be  terminated;  or  logging  the  return  of  a 
Remote  Unit  from  ACCESS  to  SECURE. 


Information  from  the  Arm  FEDS  Function  Switch,  together 
with  the  Location  Selected  Register,  is  to  be  provided  to  the  ap- 
propriate Communication  Microprocessor  for  transmission  to  the 
addressed  RU.  The  module  is  to  reject  the  command  if  the  partic- 
ular RU  is  not  in  the  Alarm  State. 

Information  from  the  Safe  FEDS  Function  Switch,  together 
with  the  Location  Selected  Register,  is  to  be  provided  to  the  ap- 
propriate Communication  Microprocessor  for  transmission  to  the 
addressed  RU  . 

Information  from  the  Fire  FEDS  Function  Switch,  together 
with  the  Location  Selected  Register,  is  to  be  provided  to  the  ap- 
propriate Communication  Microprocessor  for  transmission  to  the 
addressed  RU  if  this  command  is  confirmed.  The  module  is  to  re- 
ject this  command  if  the  particular  RU  is  not  in  the  Alarm  State. 

Information  from  the  Confirm  Function  Switch  is  to  be 
used  within  the  GCS  Monitoring  Module  to  force  the  guard  to  make 
an  extra  confirming  function  switch  stroke  before  certain  criti- 
cal commands  are  transmitted. 

The  Cancel  Function  Switch  is  used  to  terminate  commands 
that  are  not  confirmed. 

Information  from  the  TV  On  and  TV  Off  Function  Switches 
is  to  be  used,  in  conjunction  with  the  Location  Selected  Register 
to  turn  the  camera(s)  at  that  RU  on  or  off.  The  "Camera  On  " 
command  also  serves  to  turn  on  the  assessment  lights  (if  any)  at 
the  selected  RU  and  creates  an  entry  on  the  Digital  Display  Unit 
recording  this  condition.  The  "Camera  Off"  command  removes  the 
"Camera  On"  entry  from  the  Digital  Display  Unit  but  does  not  turn 
off  the  lights  or  affect  the  entry  about  them  on  the  Digital 
Display  Unit. 

The  information  is  also  to  be  sent  to  the  Assessment  Patching 
Module,  which  assigns  the  monitor(s)  selected  by  the  Monitor 
Pointing  Switch  to  the  new  camera.  The  module  must  also  communi- 
cate with  the  RU  Status  Memory;  if  a Storage  Area  is  being  legi- 
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timately  accessed  the  module  is  to  refuse  a request  for  TV  as- 
sessment at  that,  Storage  Area. 


The  TV  Bad/OK  Function  Switch  is 
spr ing- re tur n , center-off,  switch  that  is 
the  operational  status  of  CCTV  equipments 
tions . 


a momentary  action, 
used  to  log  changes  in 
at  designated  loca- 


Information  from  the  Lights  On/Off  Function  Switchs  is  to 
be  used,  in  conjunction  with  the  Location  Selected  Register,  to 
turn  the  assessment  lights  on  and  off  at  the  selected  RU.  The 
Digital  Display  Unit  shows  the  identification  of  any  RUs  where 
lights  are  on.  The  entry  is  removed  when  the  lights  are  turned 
off. 


Information  from  the  Pan,  Tilt  & Zoom  Controls  is  to  be 
used,  in  conjunction  with  the  Location  Selected  Register,  to  ef- 
fect pan,  tilt,  and  zoom  of  the  CCTV  camera  at  the  selected  RU 
when  the  camera  at  that  RU  is  so  equipped. 

The  Test  Sensors  and  Test  FEDS  Function  Switches  are  used 
with  The  Ten  Digit  Keypad  and  the  Location  Select  Function  Switch 
to  test  the  Sensors  and  FEDS  respectively  at  the  designated  RU. 

The  Test  HQ  Links  Function  Switch  causes  an  automatically 
generated  test  transmission  exchange  on  each  of  the  alternate 
links  to  the  Augmentation  Force  Headquarters,  and  for  the  results 
of  this  test  to  be  recorded  on  the  logging  printer. 

Information  from  the  Login  and  Logout  Function  Switches 
and  the  10-digit  keypad  is  to  be  distributed  to  the  Login/Logout 
Mod  ul  e . 

Information  from  the  Summon  Response  Force  Function 
Switch  is  to  is  used  to  actuate  audible  alarms  locally  and  at  the 
Response  Force  Headquarters. 

Information  from  the  Summon  Augmentation  Force  Function 
Switch  is  to  be  output  to  the  Secure  Digital  Link  for  transmis- 
sion to  the  Augmentation  Force  Heaquarters. 

Independent  Reaction  Module 

This  module  is  to  receive  information  from  the  Status 
Change  Dissemination  Module  and  from  the  Guard  Control  Station 
Monitoring  Module  and  is  to  initiate  action  independently  of 
guards  in  the  following  circumstances: 

INPUT  REACTION 

Special  Sensor  Group  Alarm  Arm  & Fire  FEDS  immediately 
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No  Acknowledgement  at  GCS 


Alert  Resonse  Force  and 
Augmentation  Force 


RU  Miss  3 Consecutive  Cycles 


Instruct  Guard  at  SSCC 
to  Post  Guard (s)  and 
Alert  Maintenance  Personnel 


Assessment  Patching  Module 


Th 

is  modul 

e 

accepts  informa 

t io 

n f r 

om  the  RU  Status  Update 

Mod  ul e 

and 

outputs 

information  to  a 

Comm  un 

ications  Mic 

roprocessor 

to  tur 

n on 

assessm 

ent  camera(s)  fol 

lowing 

an  alarm. 

The  module 

al  so 

is 
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The  output 

of  the  camera  that  is  equipped  with  the  50  mm  lens  viewing  that 
segment  is  displayed  on  the  lower  monitor  of  the  designated  pair. 
If  the  location  that  is  selected  for  assessment  is  a magazine, 
then  only  the  lower  monitor  of  a designated  pair  is  activated; 
the  upper  monitor  displays  a blank  screen.  There  is  only  a sin- 
gle set  of  camera  controls.  A two  position  Monitor  Pointing 
Switch  in  front  of  the  guard  selects  which  of  the  monitors  is 
connected  to  the  camera  that  will  respond  to  this  set  of  controls 
(and  other  function  switch  controls)  . 


The  procedure  during  a sequence  of  alarms  is  to  be  as 
follows.  Assume  that  initially  Guard  A is  viewing  RU  71  (a  perim- 
eter segment)  on  the  Left  Monitor  Pair,  with  no  alarm  present. 
When  an  alarm  is  reported  to  the  Assessment  Patching  Module  from 
RU  80,  (a  magazine)  the  module  is  to  automatically  turn  on  the 
lights  and  camera  at  RU  80,  patch  that  camera  through  to  the 
Lower  Right  Monitor,  and  send  camera  identity  and  control  infor- 
mation to  the  indicators  associated  with  the  Right  Monitor.  Guard 
A at  this  time  is  to  acknowledge  the  alarm.  As  soon  as  he  has 
completed  his  viewing  of  the  Left  Monitor,  Guard  A may  push  his 
Monitor  Pointing  Switch  to  the  right,  which  action  is  then  to 
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connect  his  camera  controls  to  operate  the  controls  of  the  camera 
at  RU  80.  Unless  other  changes  are  made,  all  commands  to  an  RU 
are  then  directed  towards  RU  80.  These  commands  may  include  arm- 
ing and  firing  the  FEDS,  as  well  as  the  secure  command. 

The  guard  at  Guard  Control  Station  B may  choose  identical 
action  or  different. 
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Guard  Login/Logout  Module 


This  module  accepts  information  from  the  Keypad,  the 
Guard  Login  Function  Switch,  and  the  Guard  Logout  Function 
Switch.  It  also  accepts  information  from  the  real  time  clock. 
The  purpose  of  this  module  is  to  keep  a log  of  which  guards  are 
on  duty,  and  at  what  time  they  came  on  duty  and  went  off  duty. 


Random  Guard  Assignment  Module 

The  purpose  of  this  module  is  to  assign  the  on-duty 
guards  to  various  posts  within  the  Secure  Area.  It  receives  in- 
formation from  the  Login/Logout  Module  and  from  the  real  time 

clock.  It  outputs  information  to  the  Status  Change  Dissemination 
Module,  which  in  turn  is  to  display  it  on  the  DDU  and  print  it  on 
the  printer. 

This  module  is  to  generate  new  random  assignments  for 
guards  at  random  intervals  between  two  and  four  hours.  Guard 
jobs  to  be  switched  include  the  two  GCSs , mobile  vehicles , guards 

posted  outside  Remote  Units,  and  guards  assigned  to  aid  in  ac- 

cessing Storage  Areas. 

This  module  is  also  to  randomly  select,  from  a pre- 
printed table  of  routes,  pse udo- random  paths  for  patrol  vehicles 
to  follow  when  there  are  no  alarms  to  investigate.  The  route 
number  is  to  be  sent  to  the  vehicle  via  the  DDU  and  the  guard 
manning  the  primary  Guard  Control  Station. 


Access  Control  Module 

The  purpose  of  this  module  is  to  control  the  personnel 
entering  the  Storage  Areas  and  the  Perimeter  Stations.  It  is  also 
to  control  the  issuance  of  Electronic  Keys.  It  receives  data 
from  the  Keypad,  the  Access  Function  Switch,  the  Guard 
Login/Logout  Module,  the  RU  Status  Memory,  and  other  modules  as 
necessary.  It  is  to  output  data  to  the  Geographical  Display 
Unit,  the  DDU,  the  Logging  Printer,  and  to  the  Electronic  Lock 
Loading  Port.  It  also  sends  a copy  of  the  electronic  key  code  to 
the  RU  , via  the  Communications  Microprocessor. 


There  are  three  different  types  of  "keys"  to  be  con- 
trolled. These  are  the  Electonic  Keys,  the  Mechanical  Keys,  and 
the  override  mechanism  crank.  It  is  not  the  responsibility  of  the 
Central  Computer  to  control  the  login/logout  of  each  of  these 
keys;  this  is  to  be  the  responsibility  of  the  Guard  Duty  Officer. 
At  certain  installations  "Master  Electronic  Keys"  will  be  re- 
quired. These  are  to  be  keys  with  an  allowed  multi-use  provi- 
sion. The  Access  Control  Module  will  send  identical  key  codes  to 
the  Remote  Units  to  be  thus  accessed.  This  portion  of  the  module 
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is  to  be  activated  only  by  a special  procedure  which  will  be 
specified  at  a later  date. 

When  an  Access  is  to  be  made  to  an  RU  which  is  in  the 
Secure  State  Normal  or  the  Alarm  State  Normal,  an  Electronic  Key 
and  a Mechanical  Key  are  to  be  issued.  If  the  RU  is  in  any  other 
state,  a Mechanical  Key,  an  Electronic  Key  and  a Crank  Key  are  to 
be  issued.  The  number  of  any  RU  to  be  accessed  is  to  be  entered 
into  the  Central  Computer  by  means  of  the  Keypad  and  the  Access 
Function  Key.  When  this  occurs  the  proper  key  code  will  be 
transmitted  to  the  RU  where  it  will  be  valid  for  one  minute. 

At  the  time  that  the  electronic  key  code  is  transmitted 
to  a RU,  the  Access  Control  Module  will  cause  the  yellow  light  on 
the  Geographical  Display  Unit  to  flash  for  the  RU  that  is  about 
to  be  accessed.  When  the  RU  is  actually  accessed,  alarms  will  be 
transmitted  that  will  cause  the  yellow  light  to  become  steady. 

Guard  instructions  shall  be  for  one  member  of  the  access 
team  to  telephone  the  GCS  from  the  outside  of  the  RU  before  at- 
tempting an  access. 


Sensor  Testing  Module 

The  purpose  of  this  module  is  to  initiate  the  routine 
testing  of  sensors  at  the  Remote  Units.  It  accepts  information 
from  the  RU  Status  Memory  and  outputs  information  to  the  Remote 
Unit  under  test,  the  Digital  Display  Unit,  the  Guard  Operating 
Panel  indicators,  and  the  Logging  Printer. 

A guard  may  also  initiate  testing  of  the  sensors  at  a RU 
by  means  of  the  Keypad  and  the  Location  Select  and  Test  Sensors 
Function  Switches.  This  will  cause  the  CU  to  generate  a series 
of  messages  to  the  RU  that  will  sequentially  test  each  of  the 
sensors  at  the  selected  location. 

This  module  is  to  have  a low  priority  in  terms  of  Central 
Unit  time  demands.  It  is  to  be  designed  so  that  each  sensor  in 
the  CSSMRS  is  tested  once  per  24  hour  period  on  an  automatic 
basis. 


The  results  of  this  testing  are  to  be  reported  by  summary 
only  to  the  DDU,and  the  Logging  Printer  as  long  as  tests  remain 
positive.  Any  tests  failed  are  to  be  reported  on  the  DDU  and  the 
Logging  Printer  in  detail  at  once. 

FEDS  Testing  Module 

This  module  is  to  be  similar  to  the  Sensor  Testing  Module 
except  that  the  electrical  continuity  of  the  firing  squibs  are 
tested  instead  of  sensors. 
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Environmental  Correlation  Module 


The  purpose  of  this  module  (which  may  be  implemented  in  a 
separate  computer  at  the  option  of  the  contractor)  is  to  compute 
the  probability  of  natural  occurrences  having  triggered  nuisance 
alarms,  and  to  inhibit  the  distribution  of  alarms  to  the  DDU  and 
the  Geographical  Display  Unit  if  there  is  a high  degree  of  cer- 
tainty that  the  alarms  were  caused  by  natural  occurrences.  It  is 
widely  known  and  accepted  that  many  types  of  environmental  back- 
ground disturbances  can  stimulate  intrusion  detection  sensors  and 
produce  nuisance  alarms.  These  are  nuisance  alarms  rather  than 
false  alarms  because  the  sensor  is  responding  to  the  stimulus 
that  it  was  designed  to  respond  to;  it  is  just  that  the  source  of 
that  stimulus  is  from  a naturally  occurring  event  rather  than  an 
intruder.  For  example,  seismic  sensors  that  respond  to  the  slight 
earth  motions  produced  by  the  passage  of  an  intruder  will  respond 
equally  well  to  motion  induced  in  the  earth  by  the  roots  of  a 
wind  blown  tree,  or  to  disturbances  produced  by  a distant  earth- 
quake. Thunder,  sonic  booms  or  the  passage  of  heavy  vehicular 
traffic  such  as  a train  can  also  induce  earth  motions.  There  are, 
however,  enough  distinguishing  features  about  many  of  these  dis- 
turbances that  it  should  be  possible  to  identify  them  through  the 
application  of  digital  correlation  techniques  utilizing  data  from 
other  sensors.  For  example,  thunder,  sonic  booms  and  passing 
trains  all  produce  acoustic  disturbances  as  well  as  earth  mo- 
tions, and  this  fact  might  be  used  to  assist  in  the  identifica- 
tion of  the  source  of  the  disturbance.  The  limited  amount  of 
research  that  has  been  conducted  in  applying  these  sorts  of 
correlation  techniques  has  shown  much  promise,  but  much  more  work 
will  have  to  be  done  before  the  full  potential  that  is  believed 
to  exist  can  be  applied  to  the  CSSMRS. 

The  inputs  to  this  module  are  from  sensors  specialized  to 
detecting  natural  phenomena  (such  as  thunderstorms,  earth 
tremors,  etc.)  and  the  reports  of  the  sensors  located  at  the  Re- 
mote Units.  The  environmental  sensors  will  be  located  at  or  near 
the  SSCC  and  will  provide  direct  inputs  to  the  correlation  pro- 
cesso r . 

Other  inputs  to  this  module  that  are  also  not  yet  fully 
defined  are  signals  from  detectors  that  are  capable  of  recogniz- 
ing trace  materials  that  may  be  incorporated  in  FEDS.  These  could 
provide  indication  of  the  activations  of  FEDS  by  an  RU  operating 
in  the  Autonomous  mode. 


Communications  Monitoring  Module 


The  purpose  of  this  module  is  to  monitor  the  communica- 
tion cycles  between  the  Communication  Microprocessors  and  the  RUs 
in  each  of  their  CROSSFIRE  Loops.  The  input  to  this  module  is 
from  the  RU  Status  Memory,  and  the  output  is  to  the  Geographical 
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Display  Unit,  the  DDU , the  Guard  Operating  Panel  indicators,  and 
the  Logging  Printer. 

If  any  RU  misses  more  than  3 polls  sequentially,  on  ei- 
ther the  CW  Loop  or  the  CCW  Loop,  the  module  is  to  compute  the 
most  probable  point  that  an  attack  or  an  equipment  failure  has 
occurred,  A guard  patrol  is  to  be  immediately  dispatched  to  the 
suspected  location.  TV  Assessment  is  also  to  be  used;  note  that 
communication  still  exists  if  only  one  of  the  redundant  loops  is 
down.  If  assessment  and  direct  observation  by  a guard  patrol  do 
not  discover  the  cause  of  the  failure,  the  on-duty  repairman  is 
to  be  dispatched. 

If  both  redundant  loops  fail,  a guard  must  be  posted  at 
any  Remote  Units  that  are  not  in  communication  with  the  CU,  in 
addition  to  the  other  actions  denoted  in  the  previous  paragraph. 


Self-Test  Module 

The  purpose  of  this  module  is  to  provide  certain  automatic  checks 
to  see  if  the  Central  Computer  is  operating.  These  checks  are  to 
include  an  arithmetic  check,  a sum  of  the  numeric  equivalent  of 
all  the  orders  in  ROM,  and  several  testing  dialogues  between  the 
computer  and  the  guards  manning  the  GCSs . 

These  tests  are  to  have  a low  priority,  but  a complete 
set  of  the  tests  are  to  be  performed  within  each  four  hour 
period,  or  whenever  required  by  a guard. 


Response  Forces  Alerting  Driver  Module 

This  module  is  to  alert  the  nearby  response  forces  in  the 
event  of  emergency  conditions.  It  is  activated  either  by  manual 
action  on  the  part  of  on-duty  guard  forces,  or  by  the  failure  of 
the  on-duty  guards  to  acknowledge  an  alarm  within  the  alloted 
time  interval.  Its  output  is  energizing  an  audible  alarm  at  the 
barracks,  ready  room  or  other  designated  location  of  response 
forces,  and  simultaneously  energizing  a high  intensity  alarm  lo- 
cated within  the  exclusion  area,  but  audible  to  the  response 
fo  rces . 

Augmentation  Forces  Driver  Module 

The  purpose  of  this  module  is  to  provide  a method  of 
alerting  the  Augmentation  Force  in  case  a situation  arises  that 
the  guard  forces  on  duty  cannot  handle.  The  method  of  communica- 
tion itself  is  to  be  two  way  digital  links,  using  encryption  , 
from  the  SSCC  to  the  headquarters  of  the  Augmentation  Forces. 

The  driver  module  is  also  to  provide  a testing  program 
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for  the  links.  The  test  program  is  to  be  one  of  the  low  priority 
modules  and  provides  for  the  exchange  of  pseudorandom  sequence 
numbers  between  the  CU  and  the  higher  headquarters  controlling 
the  Augmentation  Forces  alternately  on  each  of  the  dual  redundant 
links.  The  procedure  has  been  described  in  the  section  on  the 
secure  digital  data  links. 


Operating  System  for  the  Central  Computer 


In  order  to  reduce  the  number  of  undiscovered  errors  in 
programs,  and  in  order  to  reduce  the  period  needed  to  debug  pro- 
grams, the  Operating  System  (OS)  and  all  the  program  modules  are 
to  be  based  upon  cyclic  polling  of  inputs  instead  of  being  inter- 
rupt driven.  The  only  exceptions  to  this  philosophy  are  to  be  the 
Initialization  Module  and  the  Resynchronization  Module.  Any 
further  exceptions  to  this  philosophy  will  be  justified  in  writ- 
ing by  the  contractor. 

All  commands  of  the  Operating  System  and  the  Program 
Modules  are  to  be  stored  in  Read  Only  Memory  (ROM) . 

The  Cycle  Period  for  the  Operating  System  is  to  be  0.1 
second.  During  periods  of  low  activity,  e .g . , few  or  no  alarms, 
the  program  is  to  be  padded  up  to  0.1  second  by  using  low  priori- 
ty modules,  as  will  be  explained  in  succeeding  paragraphs. 

All  inputs  which  desire  servicing  shall  be  serviced 
sequentially  in  each  Cycle  Period  of  the  Operating  System.  Dur- 
ing times  when  alarms  are  occurring,  the  low  priority  padding 
modules  are  to  be  skipped  as  necessary  in  order  to  keep  the  Cycle 
Period  at  0.1  second.  As  the  alarm  rate  increases  beyond  the 
point  at  which  the  OS  can  maintain  the  0.1  second  period,  even 
with  all  low  priority  modules  cut  out,  the  Cycle  Period  is  to  be 
increased  as  necessary  in  order  to  service  all  input  requests. 

Figure  12  shows  a flow  chart  of  the  Operating  System  of 
the  Central  Computer. 
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ter ed  . 


The  poll  of  the  Environmental  Correllation  Module  is  the 
first  event  of  the  Cycle  Period. 

Next,  the  pointer  registers  for  the  Status  Change  Dissem- 
ination Module  are  to  be  checked.  If  changes  have  occurred,  out- 
puts are  to  be  sent  to  the  Driver  Modules  for  the  Geographical 
Display  Unit,  the  DDU , the  GOPI , and  the  Logging  Printer. 

Following  this,  the  Assessment  Patching  Module  is  to  be 
entered  if  there  has  been  a new  alarm. 

Next,  the  Guard  Control  Station  Monitoring  Module  is  en- 
tered. This  Module  checks  the  flags  for  each  one  of  the  Function 
Keys.  For  each  function  key  there  is  a Sub-Module. 

Next,  the  Independent  Reaction  Module  is  entered. 

When  each  of  the  Function  Switches  has  been  serviced  the 
Communication  Monitoring  Module  is  to  be  entered. 

Following  this,  the  flags  for  resynchronization  are  to  be 
checked.  If  an  error  flag  has  existed  for  a period  of  a second, 
and  if  three  resynchronization  tries  have  not  already  been  made, 
the  Resynchronization  Module  is  called  in.  If  three  tries  have 
already  been  made  a request  for  the  repairman  is  to  be  sent  to 
appropriate  output  modules. 

The  execution. of  the  Resynchronization  Module  is  always 
to  be  followed  by  returning  to  the  Environmental  Correlation 
Mod  ul  e . 


If  the  Resynch  Module  is  not  executed,  the  Cycle  Clock  is 
interrogated.  If  there  is  still  time  within  one  Cycle  Period  to 
excecute  one  or  more  of  the  low  priority  modules,  these  are  to  be 
ex ec uted . Fol 1 owing  their  execution  , the  OS  is  to  call  in  the  En- 
vironmental Correlation  Module  for  the  beginning  of  a new  Cycle 
Per iod  . 


Low  Priority  Supervisory  Module 

The  purpose  of  this  module  is  to  order  the  execution  of 
certain  low  priority  tasks  in  a cyclic  manner  so  as  to  use  up  the 
remaining  time  in  each  Major  Cycle  Period.  This  Supervisory 
Module  is  to  be  entered  following  the  Resynchronization  Module, 
but  no  time  will  be  spent  performing  low  priority  tasks  if  resyn- 
chronization was  actually  performed,  since  that  activity  is  ex- 
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pected  to  require  several  tenths  of  seconds 


A hardware  chip,  called  the  Cycle  Clock,  is  to  keep  track 
of  the  length  of  time  since  the  beginning  of  the  Major  Cycle 
Per  iod  . 


At  the  beginning  of 
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Communications  Microprocessors  at  the  Central  Unit 

Communications  between  the  Remote  Units  and  the  Central 
Unit  are  to  be  controlled  by  a group  of  small  computers  called 
the  Communications  Microprocessors  (CMs) . Each  of  these  is  as- 
signed to  poll  a number  of  Remote  Units  (up  to  24  RUs)  in  a 
CROSSFIRE  loop. 


In  order  to  allow  the  CMs  to  send  information  to  the  Cen- 
tral Computers  without  interrupting  the  Central  Computer's  pro- 
gram, a First-In-First-Out  (FIFO)  buffer  is  to  be  used. 


Program  Modules  for  the  Communications  Microprocessor 

The  modules  are  to  consist  of  the  following: 

Initial  ization 

Polling  of  the  Remote  Units 

Communication  Loss  Word  Generator 

Poll  Period  Word  Generator 

Summary  Report  Preparation 

Sel f-Test 
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Initialization  Module 


The  purpose  of  this  module  is  to  recognize  that 
power  is  properly  up  and  then  preset  all  memory  and  registers  to 
their  appropriate  values. 


Polling  of  the  RUs  Module 

The  polling  of  the  remote  units  is  to  be  done  on 
a cyclic  basis  such  that  each  RU  is  normally  polled  during  a time 
window  between  80  milliseconds  and  100  milliseconds  from  the  last 
poll.  If  , during  periods  of  relative  inactivity,  or  because  of 
having  very  few  RUs  to  poll,  excess  time  is  available  to  the  CM, 
the  CM  is  to  go  into  a "Pause"  state  to  pad  out  the  extra  time. 

Under  conditions  of  heavy  activity  the  CM  may  not  be  able 
to  maintain  this  cycle,  and  , under  such  circumstances,  the  pol- 
ling cycle  is  to  be  extended  as  necessary. 

The  control  procedures  and  message  formats  have  been  pre- 
viously described  in  the  descriptive  sections  on  digital  communi- 
cations . 


Communication  Loss  Word  Generator  Module 

The  purpose  of  this  module  is  to  keep  track  of  the  recent 
answering  of  polls  by  each  RU,  so  that  proper  action  can  be  taken 
if  communication  is  lost.  The  input  to  this  module  is  from  the 
polls,  and  the  output  is  to  the  Summary  Report  Generator  Module. 

Each  CU  is  to  have  a Communication  Loss  Word  (CLW)  asso- 
ciated with  it  in  the  memory  of  the  CM.  The  word  is  to  consist  of 
two  bits  with  meanings  as  follows: 

00  - No  polls  missed 

01  - One  poll  missed 

10  - Two  polls  missed 

11  - More  than  two  polls  missed 

The  CLW  is  to  be  reported  to  the  CU  (via  the  Summary  Re- 
port) each  time  the  CLW  has  changed. 


Poll  Period  Word  Generator  Module 

The  purpose  of  this  module  is  to  keep  track  of 
how  long  the  last  polling  cycle  took  to  complete.  The  input  to 
the  module  is  information  from  the  polls  and  information  from  an 
interval  timer  hardware  chip.  The  output  is  to  the  Summary  Report 
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Generator  Module. 


The  Poll  Period 
meanings  as  follows: 
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The  eventual  destination  of  the 
Module  in  the  Central  Computer  program. 


PPW  is  the  Correlation 


Summary  Report  Generator  Module 

The  purpose  of  this  module  is  to  reorganize  the  date 
which  must  flow  from  the  CM  to  the  Central  Computer  in  such  a way 
that  the  Central  Computer  program  is  optimized  with  respect  to 
speed,  especially  the  RU  Status  Update  Module  and  the  Environmen- 
tal Correlation  Module. 
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Power  for  the  Central  Computer  Complex 

In  keeping  with  the  overall  requirement  for  extremely 
high  reliability  in  the  Central  Computer  Complex,  each  of  the 
three  computers  in  the  triply  redundant  configuration  should 
operate  from  its  own  independent  power  supply.  Thus,  failure  of 
a single  power  supply  could  only  affect  one  of  the  three  comput- 
ers. Each  of  the  power  supplies  must  have  floating  backup  bat- 
teries with  capacity  to  continue  uninterrupted  operation  for  at 
least  fifteen  minutes  following  the  loss  of  primary  power.  It  is 
anticipated  that  normally  the  sites  emergency  generator  units 
could  be  powered  up  and  assume  the  essential  loads  in  less  than 
one  minute.  As  a third  level  of  protection  against  even  the 
failure  of  site  emergency  generator  units,  the  Central  Computer 
Complex  should  be  equipped  with  liquified  gas  fueled  internal 
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combustion  engine  generator  units  that  could  be  used  to  maintain 
the  charge  of  the  backup  battery  systems.  Fuel  required  to  sup- 
port the  CU  total  power  requirements  for  at  least  24  hours  must 
be  maintained  at  all  times.  This  auxiliary  generator  must  be 
suitably  isolated  from  the  normal  (commercial)  and  the  site  emer- 
gency source  of  primary  power  so  that  load  transfer  would  not  in- 
volve synchronization  of  frequency  or  phase  and  would  not  intro- 
duce switching  transients.  Start  up  of  the  liquified  gas  fueled 
generator  should  be  automatically  initiated  within  five  minutes 
after  loss  of  normal  or  emergency  primary  power.  Liquified  gas 
is  preferred  to  gasoline  for  this  engine  generator  system  because 
of  its  more  reliable  starting  characteristics. 

The  comparators  and  the  selection  logic  used  for  input  to 
or  output  from  the  A,  B an  C Bus  of  the  redundant  computer  system 
are  to  be  powered  from  the  three  backup  battery  systems  using 
diode  coupling  so  that  failure  of  all  three  batteries  and  their 
associated  power  supplies  would  be  required  to  disable  this  cir- 
cui try. 


The  backup  batteries  should  be  capable  of  being  fully  re- 
charged within  four  hours  after  having  furnished  the  complete 
power  requirements  of  the  CU  for  a period  of  fifteen  minutes. 

Location  of  the  Central  Computer  Complex 

It  is  anticipated  that  the  location  of  the  Central  Com- 
puter Complex  will  be  site  specific.  In  all  instances,  however, 
the  selected  location  should  be  secure  and  well  protected  and 
subject  to  the  two  man  rule,  i.e.,  no  single  individual,  be  it 
guard  or  repairman,  should  have  access  to  the  complex  alone.  A 
magazine  located  close  to  the  SSCC  should  be  considered  as  a 
likely  candidate  if  there  is  not  a suitable  vault  or  strong  room 
within  the  SSCC  itself.  Insofar  as  practical,  the  backup  battery 
power  supply  and  the  liquified  gas  powered  engine  generator 
should  also  be  located  in  a protected  area  where  they  would  not 
be  subject  to  easy  disablement  by  man-portable  weapons. 
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Guard  Control 


Stations 


There  are  two  Guard  Control  Stations  in  the  CSSMRS  that 
provide  the  principal  interface  between  the  system  and  security 
personnel.  One  of  the  Guard  Control  Stations  within  the  Site 
Security  Control  Center  will  be  designated  as  the  primary,  while 
the  other  station,  typically  located  in  a surveillance  tower,  is 
designated  a secondary  station  and  serves  as  a backup  to  the  pri- 
mary station.  All  controls,  indicators  and  displays  are  dupli- 
cated in  the  two  Guard  Control  Stations  and  the  guard  at  each  lo- 
cation has  the  same  capability  to  interact  with  the  system. 

Only  one  station  and  one  operator  is  actually  needed  to 
operate  and  control  the  CSSMRS.  The  second  station  has  been  ad- 
ded to  raise  the  reliability  of  the  system,  to  provide  an  extra 
monitor  of  operations,  extend  the  two-man  rule  to  station  activi- 
ties, to  increase  the  capability  and  effectiveness  during  times 
of  unusually  high  activity  by  permitting  task  overflow  to  this 
second  station,  and  to  reduce  vulnerability  in  the  event  of  an 
attack  and  loss  of  a Guard  Control  Station. 


CSSMRS  components  that  are  available  to  the  guards  at 
each  station  include  a Digital  Display  Unit  (CRT  display  of  al- 
phanumeric data) , two  CCTV  monitors,  a group  of  Function 
Switches,  a key  pad  and  thumbswi tches  for  data  entry  and  system 
control,  status  indicator  lamps,  audible  alarms,  a port  for  load- 
ing the  electronic  key,  appropriate  display  labels,  a digital 
date-time  clock,  a logging  printer,  television  controls  , an  au- 
dio tape  recording  and  playback  system,  a keyboard/display  termi- 
nal and  a map-like  Geographical  Display  Unit.  Their  general  ar- 
rangement is  shown  in  Figures  13  and  14.  These  components  are 
mostly  peripherals  that  are  attached  to  the  input/output  bus  of  a 
microprocessor  that  is  in  communication  with  the  CU  via  a fiber 
optic  digital  data  link  and  using  the  same  speed  and  control  pro- 
cedures that  are  employed  with  the  data  links  to  the  RUs . Here, 
however,  a star  configuration  is  employed  between  the  CU  and  the 
two  Guard  Control  Stations  rather  than  the  CROSSFIRE  dual  loop 
arrangement  used  with  the  RUs.  Each  station  has  its  own  power 
supplies  and  backup  batteries  with  capacity  to  continue  all 
operations  for  at  least  fifteen  minutes  after  loss  of  primary 
power  and  with  hook-up  to  the  emergency  gas  powered  generator 
system  that  supplies  the  CU  as  backup  in  the  event  that  the 
standby  site  power  is  unable  to  restore  service  within  five 
minutes  after  loss  of  power. 


Each  Guard  Control  Station  is  equipped  with  an  operating 
console  that  houses  the  various  displays  and  controls  that  the 
guards  use  to  interact  with  the  system,  and  a voice  intercommuni- 
cations facility  is  provided  between  the  two  stations  to  facili- 
tate cooperative  actions  under  emergency  or  peak  load  cir- 
cumstances and  to  resolve  any  problems  involving  contention  since 
neither  station  has  preemptive  rights  over  system  controls. 
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Identical  graphic  display  information  and  audible  warning  signals 
provide  additional  feedback  and  guidance  to  the  two  operating 
security  personnel. 

A duress  alarm  system  is  provided  at  each  Guard  Control 
Station  and  arranged  so  that  if  it  is  activated  a silent  signal 
will  appear  at  the  other  Guard  Control  Station  in  the  form  of  a 
message  on  the  Digital  Display  Unit  directing  the  guard  to  take 
action  appropriate  to  that  specific  site.  The  method  of  activat- 
ing this  duress  alarm  is  optional  and  may  be  any  suitable  form  of 
concealed  switch.  In  the  case  of  personnel  being  placed  under 
duress  in  the  course  of  accessing  a magazine,  it  is  anticipated 
that  this  would  be  signalled  by  the  use  of  cue-words  in  the  tele- 
phone exchanges  that  they  would  make  with  the  SSCC. 
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Block  Diagram  of  Guard  Control  Station  Configuration 
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133  CM 


Figure  14  General  Arrangement  of  Guard  Control  Station  Components 


In  Fig.  14,  the  numbers  associated  with  various  com- 
ponents of  the  station  are  referenced  in  the  descriptions  that 
fol low. 

Guard  Operating  Panel  (31) 

The  Guard  Operating  Panel  (GOP)  has  been  laid  out  with 
emphasis  on  Human  Factors  Engineering.  Controls  and  indicators 
have  been  arranged  in  groups  that  conform  with  the  natural  se- 
quence of  operation  to  facilitate  error-free  operation  by  the 
guards.  All  surfaces  are  slanted  to  some  extent  and  controls  and 
indicators  are  sealed  and  recessed  for  protection  against  spilled 
1 'quids  harmful  particles,  accidental  operation  or  inadvertent 
operator  inflicted  damage.  All  components  should  be  selected  for 
reliability,  long  life,  ease  of  operation  and  physical  sturdiness 
together  with  a minimum  of  moving  mechanical  parts. 


Digital  Display  Unit  (12) 

The  Digital  Display  Unit  is  central  to  the  operator's 
console.  It  displays  two  types  of  information:  dynamic,  action 

events  such  as  alarms  and  recommended  response  actions,  and 
quasi-static  status  information  such  as  equipment  malfunctions, 
accesses  in  process,  sites  where  CCTV  and/or  lights  are  on  or  lo- 
cations where  backup  battery  power  is  maintaining  operation.  The 
latter  information  is  displayed  continuously  during  normal,  no- 
alarm conditions  on  a 30.5  cm  (12  in.)  diagonal  screen  cathode 
ray  tube  capable  of  displaying  a 24-  line  by  80-character  format. 
When  an  alarm  occurs,  this  display  is  stored  and  is  replaced  by 
the  alarm  information  displayed  in  large  characters  in  a 16-line 
by  32-character  format.  The  occurrence  of  an  alarm  is  also  sig- 
nalled by  a short  audible  tone  which  is  followed,  after  ack- 
nowledgement of  the  alarm,  by  vocalization  of  the  alarm  informa- 
tion using  a voice  annunciation  system.  If  the  alarm  has  not 
been  acknowledged  within  15  seconds,  another  distinctive  tone 
signal  is  emitted  and  the  voice  announcement  is  repeated.  If 
another  15  seconds  passes  without  acknowledgement,  a high  inten- 
sity alarm  is  sounded  for  10  seconds  and  then  the  Response  Forces 
are  summoned  and  higher  headquarters  is  alerted. 

Alarm  information  remains  on  the  Digital  Display  Unit  un- 
til cleared.  Clearing  can  occur  as  a result  of  assessment  that 
discloses  that  the  alarm  resulted  from  some  innocuous  nuisance 
event  followed  by  actuation  of  the  "Secure"  function  switch,  or 
clearing  can  follow  from  a guard  patrol  coping  with  an  intruder 
and  eventual  restoration  of  secure  conditions.  Finally,  clearing 
can  also  result  from  failure  of  the  alarming  sensor  to  pass  a 
sensor  test.  The  malfunctioning  sensor  is  then  listed  on  the 
quasi-active  status  file  where  it  remains  until  it  successfully 
passes  a sensor  test  following  maintenance  action.  This  file  is 
displayed  continuously  except  when  uncleared  alarms  are  present. 
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Full  information  about  only  a single  alarm  at  a time  is 
presented  on  the  display.  When  there  is  more  than  one  alarm  out- 
standing, data  about  the  additional  alarms  is  placed  in  an  circu- 
lar buffer,  closed  loop  queue,  and  these  data,  together  with  the 
voice  annunciation  of  the  second  and  subsequent  alarms,  is 
presented  to  the  guard(s)  as  they  may  be  called  up  sequentially 
and  independently  at  either  of  the  two  Guard  Control  Stations. 
Whenever  there  is  more  than  one  alarm  outstanding,  the  display 
will  carry  the  legend,  "MORE  ALARMS",  and  their  location(s),  in 
addition  to  the  information  about  the  alarm  that  is  being 
displayed.  Alarms  may  be  called  up  in  the  sequence  in  which  they 
were  acknowledged  by  using  the  Monitor  Pointing  Switch,  or  may  be 
called  up  in  any  sequence  using  the  ten-digit  key  pad  and  Loca- 
tion Select  function  switch.  The  information  to  be  presented 
about  each  alarm  includes  location,  type  of  sensor,  time  of  alarm 
onset,  whether  the  alarm  was  momentary  or  is  persisting  and, 
where  appropriate,  suggested  response  actions. 

Information  that  is  presented  in  the  status  display  (when 
there  are  no  uncleared  alarm  conditions)  includes  the  identifica- 
tion number  of  the  guard(s)  that  are  logged  in,  identification  of 
any  CSSMRS  components  that  are  judged  to  be  malfunctioning  as  a 
result  of  failing  self-test,  identification  of  any  CCTV  cameras 
or  camera  lights  that  are  on,  or  that  have  been  determined  to  be 
malfunctioning,  identification  of  any  components  that  are  operat- 
ing on  backup  battery  power,  identification  of  electronic  keys 
which  have  been  issued  for  authorized  access  actions  and  the  time 
remaining  during  which  their  use  is  valid,  RUs  that  are  in  the 
access  state,  and  finally,  any  unacknowledged  routine  instruc- 
tions to  security  personnel  such  as  patrol  routing,  sensor  test 
request , etc . 

CCTV  Monitors  (11,13) 

On  either  side  of  the  Digital  Display  Unit,  a pair  of 
CCTV  monitors  are  mounted.  These  are  20  cm.  (8  inch)  nominal  di- 
agonal, black  and  white  display  tubes,  and  either  monitor  can  be 
connected  to  any  assessment  camera  on  the  site.  Associated  with 
each  monitor  there  is  an  alphanumeric  display  that  automatically 
indicates  to  which  camera  the  monitor  is  connected  and  indicates 
what  types  of  controls  (pan,  tilt,  etc.)  , if  any,  are  available 
at  that  camera.  The  camera  location  is  identified  by  the  identi- 
ty or  zone  number  of  the  RU  associated  with  the  camera,  and  the 
available  controls  are  identified  by  display  of  appropriate  label 
in  fo  rmat ion . 

Monitor  Pointing  Switch  (20) 

A Monitor  Pointing  Switch  is  provided  on  the  console  to 
facilitate  the  rapid  switching  of  both  camera  controls  and  func- 
tion switch  controls  from  the  location  displayed  by  one  monitor 
to  that  displayed  by  the  other.  This  switch  is  arranged  so  as  to 
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from  both 

o f 

the 

per  imet 

er 

segment  camera 

s appears 

on  the  r 

ight  hand  monitor  pair. 

If  the 

ala 

rm  is  from  a m 

agazine  , 

only 

the 

1 ower 

monitor 

o f 

the 

right  h 

and 

pair  is  activ 

ated  . An 

a ud  i 

bl  e 

signal 

alerts  the  secu- 

rity  personnel  at  the  guard  control  stations.  The  site  status 
information  is  removed  from  the  Digital  Display  Units  and  re- 
placed by  summary  alarm  information  ((location  and  type ( s)  of 
sensor))  together  with  a request  for  guard  acknowledgement.  Ack- 
nowledgement is  accomplished  by  throwing  the  Monitor  Pointing 
Switch  to  the  right-hand  monitor.  This  also  attaches  the  control 
capabilities  of  the  location  dependent  function  switches  to  the 
RU  at  which  the  alarm  has  occurred  and  displays  the  identity  of 
that  RU  on  the  Location  Select  Display,  silences  the  audible 
alarm,  enables  the  voice  annunciation  system  to  verbally  annunci- 
ate the  alarm  ac  that  Guard  Control  Station  only,  and  releases 
any  supplementary  response  instructions  for  display  on  the  Digi- 
tal Display  Unit  and  removes  the  acknowledgement  request  from 
that  display.  At  the  secondary  Guard  Control  Station,  the  CCTV 
scene  from  the  alarming  RU  would  appear  on  the  unselected  monitor 
pair  and  the  summary  alarm  information  would  appear  on  the  Digi- 
tal Display  Unit.  Cessation  of  the  audible  alarm  and  removal  of 
the  acknowledgement  request  from  the  digital  display  would  pro- 


vid  e 

ev  id ence 

tha  t 

the 

alarm  had  b 

e 

en  acknowledged 

at  the  primary 

sta  t i 

on.  The 

g ua 

rd 

at  the  sec 

o 

ndary  station  co 

uld  optionally 

ac  kno 

wledge  al 

so  , a 

nd  i 

n this  even 

t 

, he  would  also 

receive  the 

voice 

annunc i 

at  ion 

o f 

the  alarm 

and  the  supplem 

en tar y d ig  i tal 

respo 

nse  instr 

uc  t io 

ns  o 

n his  displ 

a 

y unit. 

If  , wh 

i 1 e a 

sses 

sment  of  th 

i 

s first  alarm  is 

in  process  at 

the 

pr  imar  y 

s tat  i 

on  , 

a second 

alarm  occurs,  then  the  audible 

al  arm 

is  again 

star 

ted  , 

the  legend 

/ 

"MORE  ALARMS  - 

ACKNOWLEDGE" , 

and 

their  lo 

ca  t io 

n(  s) 

, appears  o 

n 

the  Digital  Dis 

play  Unit,  the 

1 ig  ht 

in  the  " 

Ac  kno 

wledge"  functio 

n 

switch  begins 

to  flash  and 

the 

1 eft-hand 

moni 

to  r 

displays  th 

e 

scene  from  the 

CCTV  camera(s) 

at  the  locatio 

n o f 

this 

new  alarm. 

The  primary  sta 

tion  guard  now 

has  optional  courses  of  action.  He  can  actuate  the  "Acknowledge" 
function  switch  immediately;  this  will  silence  the  audible  alarm 
and  delete  the  "ACKNOWLEDGE"  portion  of  the  legend  on  the  digital 
display  and  queue  the  alarm  information  for  subsequent  attention. 
This  leaves  his  function  switches  and  camera  controls  still  con- 
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nected  to  the  site  of  the  first  alarm  where  that  assessment  may 
be  continued.  Alternatively,  he  can  actuate  his  Monitor  Pointing 
Switch  to  the  left  to  acknowledge  this  new  alarm  as  well  as  to 
release  his  controls  and  function  switches  from  the  right-hand 
monitor  location  and  attach  them  to  the  location  of  this  new 


alarm. 

If 

he  felt  that 

he  c 

ould  com 

plete  his 

assessment 

o f 

the 

first  a 

1 arm 

and  clear  it 

in  a 

few  mor 

e 

second  s 

after  the 

sec 

ond 

al  arm 

so  und 

ed  , he  could  elect  to  d 

e 

fer  any  a 

cknowledgement 

ac- 

tions  o 

n the 

expectation 

tha  t 

the  sec 

o 

ndary  g ua 

rd  station 

wo 

uld 

ac  kno  wl 

edge 

within  the  a 

1 Iowa 

ble  tim 

e 

interval 

between  15 

and 

30 

second  s 

a f te 

r initiation. 

As 

a final 

option,  h 

e could  use 

the 

voice 

inter 

commun ic  at  ion 

s fa 

c il  it ie 

s 

to  reque 

st  that  the 

sec 

on- 

dary  st 

a tion 

guard  handle 

the 

second 

a 

1 arm  . 

Audio  Tape  System  (35) 

A dual,  cassette  type  audio  tape  system  is  provided  to 
record  all  audible  events  including  radio,  telephone,  intercom 
and  guards  comments  that  occur  during  alarm  conditions.  The  tape 
recorder  is  to  be  turned  on  automatically  when  an  alarm  is  ack- 
nowledged by  the  guard,  and  is  to  be  turned  off  automatically 
after  all  alarms  have  been  cleared  and  the  time  of  day  annuncia- 
tion has  been  made.  There  are  to  be  two  cassette  receptacles  on 
the  recorder.  One  is  protected  by  a locked  cover  so  that  only 
the  shift  supervisor  can  install  and  remove  cassettes.  The  other 
is  accessible  to  the  guard.  Both  receptacles  are  equipped  with 
sensors  that  are  arranged  so  that  the  insertion  and  removal  of 
all  cassettes  is  recorded  on  the  logging  printer.  The  same  in- 
formation is  to  be  recorded  on  both  tapes. 


A separate  a 

ud 

io  pi 

aybac 

k un 

it  i 

s 

1 oc 

ated  c 

onv en  ie 

n tl 

y to 

the 

keyboard/d  is pi  a 
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and 

is 

us 

ed 

by  the 

g ua  rd 

to 

play 

bac 

k the  tape  that  i 
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acces 

sible 

to 

him 

wh 

en 

he  is 

pr  epa  r i 

ng 

mes- 

sag 

es  on  the  termin 

al 

reg  a 

rd  ing 

the 

d i s 

PO 

sit 

ion  of 

al arms 

• 

Dur- 

ing 

these  interval 

s. 

the 

g ua 

rd 

wo  uld 

in 

stal  1 

an  al 

ter 

na  te 

cassette  in  the  recorder  so  as  to  be  available  in  the  event 
another  alarm  occurred. 

Location  Select  Display  (32) 

This  is  a three-digit  display  that  identifies  the  RU  or 
zone  to  which  the  attachable  function  switches  or  controls  are 
associated.  Its  value  will  be  the  same  as  the  value  shown  on  the 
three-digit  display  associated  with  the  CCTV  monitor  that  has 
been  selected  by  the  Monitor  Pointing  Switch. 

Ten-Digit  Key  Pad  (5) 

The  Ten-Digit  Key  Pad  is  used  to  enter  numerical  se- 
quences into  the  CSSMRS.  These  sequences  will  always  be  associ- 
ated with  the  use  of  one  of  the  function  switches  and  will 
represent  either  the  identity  number  of  guards  logging  on  or  off 
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duty  or  else  the  identification  number  of  a RU  that  is  to  be  ac- 
cessed or  to  which  CCTV  controls  or  addressable  function  switches 
are  to  be  attached.  A ten-digit  display  will  always  indicate  the 
last  number  that  has  been  entered  into  the  system  using  the  key 
pad.  A CLEAR  key  will  be  provided  on  the  key  pad  to  facilitate 
the  correction  of  erroneous  entries. 

Function  Switches  (1,  2,  6,  18,  21,  22,  29,  34) 

There  are  24  function  switches  on  the  Guard  Control  Sta- 
tion console.  Eight  of  these  might  be  considered  global  or  not 
associable  with  a specific  RU;  two  are  selective  and  are  only 
used  with  a limited  subset  of  the  other  function  switches;  the 
rest  are  attachable,  that  is,  the  results  of  their  actuation  are 
directed  to  one  specific  RU  at  any  given  time. 

Global  Functions 

The  global  function  switches  are: 

ACKNOWLEDGE  Used  to  acknowledge  an  alarm  and  place  it 

in  a queue.  If  no  other  alarms  are 
outstanding,  this  will  also  attach 


function  keys  and  CCTV  controls  to 
alarming  RU. 

the 

LOCATION  SELECT 

Used  with  the  Ten-Digit  Key  Pad  to 
an  RU  to  which  other  function  keys 
controls  are  attached. 

sel ec  t 
or  CCTV 

GUARD  LOGIN 

Records  the  time  and  identity  of  a 
logging  on  duty. 

g ua  rd 

GUARD  LOGOUT 

Records  the  time  and  identity  of  a 
logging  off  duty. 

g ua  rd 

TEST  HQ  LINKS 

Performs  a test  on  the  secure  data 
to  higher  headquarters. 

1 in  ks 

TEST  LAMPS 

Illuminates  all  indicator  lamps  to 
their  operability. 

insur  e 

SUMMON  RESPONSES  As  indicated. 


SUMMON  AUGMENT  Summons  Augmentation  Forces  from 

higher  headquarters  upon  actuation 
of  the  CONFIRM  function  switch. 

Selective  Function  Switches 

The  selective  function  switches  are: 
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CONFIRM 

CANCEL 

Both  of  these  controls  are  used  only 
in  conjunction  with  the  function 
switches  used  to  fire  FEDS  or  to 
summon  Response  or  Augmentation 
Forces.  Contention  between  Guard 
Control  Stations  in  connection  with 
the  use  of  these  controls  is  prohibited 
by  system  design. 

Attachable  Function 

Switches  and  Controls 

The  following  are  function  switches  that  direct  operations 
taking  place  at  one  or  more  specific  RUs : 


ACCESS 

Used  in  conjunction  with  the  Ten-Digit 
Key  Pad  to  transmit  the  random  number 
to  a designated  RU  that  has  previously 
been  loaded  into  a one-time  use 
electronic  key  assigned  for  authorized 
access  to  that  RU. 

CODE  KEY 

Used  to  load  an  electronic  key  with 
a random  code  that  is  good  for  the 
time  interval  shown  by  the 
two-digit  thumbswi tches  and  is 
assigned  to  the  RU  designated  by  the 
number  entered  on  the  Ten-Digit 
Key  Pad  . 

CODE  MASTER 

KEY  Used  to  load  a master  electronic 
key  with  a random  number  that  is 
valid  for  the  time  interval  shown 
on  the  two-digit  thumbswi tc hes 
and  that  may  be  used  at  any  RU 
to  which  this  code  is  transmitted 
using  the  MASTER  ACCESS  function 
swi  tch . 

MASTER  ACCESS  Used  in  conjunction  with  the  Ten- 


Digit  Key  Pad  to  transmit  a master 
electronic  key  code  to  a designated 
RU. 

SECURE 

Used  in  conjunction  with  the  Ten- 
Digit  Key  Pad  to  terminate  an  access 
or  to  clear  an  alarm  at  a designated 
RU. 

SAFE  FEDS 

Sets  the  designated  electronic  Safe/ 
Arm  switch  to  the  "Safe"  position. 

ARM  FEDS 

Sets  the  designated  electronic  Safe/ 
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Arm  switch  to  the  "Armed"  or  enabled 
po  s i t i o n . 

FIRE  FEDS  Fires  designated  FEDS  upon  actuation 

of  the  CONFIRM  function  switch. 


TV  ON/OFF  The  "On"  function  turns  on  both  the 

CCTV  camera  and  the  lights  (if  these 
are  required  by  the  camera)  at  the 
designated  location.  The  "Off" 
function  turns  off  only  the  camera. 

TV  BAD/OK  Logs  changes  in  the  operational 

status  of  the  designated  CCTV  on 
the  Digital  Display  Unit  and  on 
the  Logging  Printer. 


LIGHTS  ON/OFF  Turns  the  lights  on  or  off  at  the 

designated  location. 


TEST  SENSORS 
TEST  FEDS 
SPARE 


Initiates  an  automatic  test  of  the 
sensors  at  the  designated  location. 

Initiates  an  automatic  test  of  the 
FEDS  at  the  designated  location. 

Undefined . 


CCTV  Controls  (17,  19) 

A multifunction  joystick  is  provided  in  a convenient  lo- 
cation for  right-hand  operation  to  facilitate  issuance  of  pan, 
tilt  and  zoom  control  orders  to  a selected  camera  that  is 
equipped  with  these  features.  Another  control  group  for  camera 
lens  iris  adjustment  and  focus  are  arranged  for  left-hand  opera- 
tion. Camera  controls  are  attached  to  a specific  camera  by  using 
the  Monitor  Pointing  Switch,  either  alone  (when  acknowledging  an 
alarm  or  cycling  through  a queue  of  uncleared  alarms)  , or  in  con- 
junction with  the  key  pad  and  "Location  Select"  function  switch 
which  provides  complete  freedom  of  choice. 

Two-Digit  Thumb  Switch  (3) 

The  Two-Digit  Thumbswitch  is  used  to  set  the  time  inter- 
val, in  ten  minute  increments,  during  which  an  electronic  key  is 
valid.  The  display  shows  three  digits,  with  the  least  signifi- 
cant digit  permanently  set  to  zero,  so  that  the  displayed  value 
can  be  read  directly  in  minutes.  This  value  is  loaded  into  the 
electronic  key  along  with  the  random  number  key  code  and  when  the 
indicated  time  has  expired  the  key  code  is  erased. 

Audible  Alarms  (16,  23) 


84 


Onset  of  an  alarm  condition  is  accompanied  by  an  audible 
alarm  signal  that  persists  for  30  seconds  or  until  the  alarm  con- 
dition is  acknowledged,  whichever  occurs  first.  The  audible 
alarm  is  to  have  an  intensity  of  at  least  60  dBA  as  measured  from 
a position  that  is  within  two  feet  of  the  normal  ear  position  of 
the  security  personnel  that  would  man  the  Guard  Control  Station 
consoles.  Fifteen  seconds  after  initiation,  there  shall  be  a 
distinctive  change  in  the  nature  of  this  alarm  signal.  Thirty 
seconds  after  its  initiation,  this  signal  is  followed  by  a bell 
or  horn  producing  a sound  level  of  at  least  90  dBA  as  measured 
anywhere  within  the  Guard  Control  Stations  and  which  persists  for 
ten  seconds  unless  terminated  first  by  alarm  acknowledgement.  At 
the  end  of  the  ten  second  final  warning  period  Response  Forces 
are  automatically  summoned. 

Voice  Annunciation  Unit  (25) 

Each  Guard  Control  Station  is  equipped  with  a Voice  An- 
nunciation Unit  that  is  used  to  verbally  annunciate  alarm  mes- 
sages and  appropriate  response  recommendations.  It  is  implement- 
ed in  the  CSSMRS  to  supplement  the  transfer  of  information  from 
the  DDU  to  the  guards  reducing  their  requirements  for  reading 
skills  and  training.  The  Voice  Annunciation  Unit  is  activated 
each  time  an  uncleared  alarm  is  selected  using  either  the  Monitor 
Pointing  Switch  to  advance  the  alarms  in  an  outstanding  queue,  or 
whenever  the  key  pad  and  "Location  Select"  function  switch  are 
used  to  bring  up  a selected  alarm.  The  Voice  Annunciation  Unit 
will  be  designed  around  a ten  million  bit,  non-volatile  memory 
that  contains  a digitized  vocabulary  of  approximately  150  words 
in  each  of  two  languages,  or  five  million  bits  if  only  a single 
language  is  required.  This  will  provide  for  100  seconds  of 
speech  at  50,000  bits-per-  second.  The  digital  representations 
of  the  words  used  to  assemble  an  alarm  message  would  be  recalled 
from  this  memory  and  stored  in  a buffer  from  whence  they  would  be 
used  to  drive  a d ig  ital- to-analog  converter  to  produce  the  verbal 
alarm  annunciation.  The  speech  would  be  output  at  a rate  of  ap- 
proximately 90  words  per  minute  which  is  a rate  that  is  natural 
yet  deliberate  and  easy  to  understand.  Further,  the  speaker  used 
to  record  the  vocabulary  that  is  digitized  can  be  selected  on  the 
basis  of  articulation  and  und er stand ab il ity  and  could  be  a news- 
caster or  other  professional  communicator. 

In  addition  to  vocalizing  alarm  information,  the  Voice 
Annunciation  Unit  will  articulate  the  time-of-day  immediately 
after  any  alarm  condition  is  cleared.  This  will  permit  a time 
tag  to  be  attached  to  each  sequence  of  audible  events  that  are 
recorded  on  the  tape  recorder  during  alarm  conditions  so  as  to 
facilitate  their  association  with  the  proper  alarm. 

Status  Summary  Display  (15) 

This  display  is  a group  of  five  colored  indicators*  that 
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provide  a concise  summary  of  overall  site  status.  A green  indi- 
cator is  illuminated  only  when  all  RUs  or  zones  are  secure.  A 
red  indicator  shows  whenever  there  are  any  uncleared  alarm  condi- 
tions. A yellow  indicator  designates  that  some  authorized  access 
is  in  process  on  the  site.  A white  indicator  is  illuminated  when 
any  CSSMRS  component  is  functioning  on  backup  battery  power  and 
an  amber  indicator  is  illuminated  if  a contention  condition  oc- 
curs in  connection  with  system  commands  that  might  be  issued  by 
the  personnel  at  the  two  Guard  Control  Stations.  Such  contention 
might  occur,  for  instance,  if  both  guards  were  to  select  the  same 
CCT V camera  and  one  were  to  try  to  pan  right  as  the  other  tried 
to  pan  left.  This  sort  of  innocuous  contention  is  resolved 
through  verbal  exchanges  using  the  voice  intercommunication  fa- 
cilities between  the  two  stations.  Contention  is  non-damaging 
through  system  design  in  connection  with  the  use  of  the  "Confirm" 
and  "Cancel"  function  switches. 

Clock  (14) 

The  clock  is  a digital,  24-hour,  time-of-day  clock  that 
provides  the  same  time  information  that  is  recorded  on  the  log- 
ging printer  to  a resolution  of  one  minute. 

Logging  Printer  (27) 

The  Logging  Printer  is  used  to  provide  a permanent  record 
of  all  site  security  status  changes.  It  records,  together  with 
the  time,  all  of  the  data  elements  that  appear  on  the  Digital 
Display  Unit  except  that  recommended  response  messages  may  be 
referenced  by  their  identity  number  rather  than  printing  the  full 
prerecorded  text.  The  printer  shall  be  capable  of  accepting  and 
continuously  printing  input  data  at  a speed  of  at  least  2400  bits 
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log  are  available; 

one  of 

these 

would  normal 

iy 

be 

reserved  for 

the  use  of  the  super 

v i 

so  r . 

A 

non 

- impac  t 

: pr  in 

ter 

i s 

recommended  for  this  application  b 

ec 

ause 

o f 

the 

increc 

ised 

rel 

ia- 

bil  i t 

y that 

is  associated  with 

m 

echan 

isms  having  fewer 

mov 

ing 

par  ts 

• 

Port 

For  Elec 

tronic  Key  (33) 
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like  representation  of  the  site.  It  shows  and  identifies  each  RU 
and  each  perimeter  segment,  and  each  of  these  are  provided  with 
two  colored  indicators.  There  is  a red  indicator  which  flashes 
when  any  alarm  condition  is  reported  from  that  zone,  and  which 
changes  to  steady  red  when  the  alarm  is  acknowledged  and  is  ex- 
. tinguished  when  the  alarm  is  cleared.  There  is  also  a yellow  in- 
dicator that  is  illuminated  whenever  an  authorized  access  is  in 
process.  This  display  panel  is  normally  mounted  above  the  opera- 
tors console. 


Keyboard/Display  Terminal  (36) 


A keyboard/display  terminal  shall  be  provided  for  the 
guard  to  use  in  an  off-line  mode  to  compose  a message  identifying 
the  disposition  of  each  alarm.  The  terminal  shall  be  equipped 
with  editing  capabilities  which  will  readily  permit  a guard  that 
has  only  "hunt  and  peck"  typing  ability  to  compose,  edit,  change 
or  correct  text  until  he  is  satisfied  with  it.  Then,  using  a 
suitable  function  key  on  the  terminal,  he  will  cause  the  text  to 
be  transferred  to  the  logging  printer  where  it  will  be  permanent- 
ly recorded.  The  terminal  shall  be  arranged  to  provide  appropri- 
ate cues  to  aid  the  guard  in  this  task  by  asking  for  the  disposi- 
tion of  alarms  that  are  identified  by  their  time  of  occurrence. 
These  requests  will  appear  on  the  display  one  at  a time,  and  each 
will  remain  until  such  a time  as  the  guard  has  an  opportunity  to 
respond . 


In  addition, 
verted  to  an  on-line 
or  maintenance  perso 
control  of  a key-loc 


this  terminal  shall  be  capabl 
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SYSTEM  OPERATION 


The  detailed  descriptions  of  the  various  CSSMRS  subsys- 
tems and  components  that  have  been  presented  in  the  preceding 
sections  of  this  report  have,  in  general,  also  included  a sub- 
stantial amount  of  material  that  is  descriptive  of  the  system, 
operation.  In  this  section,  that  descriptive  material  will  be* 
expanded  and  amplified  with  particular  emphasis  on  those  aspects 
of  the  operation  that  are  perceived  by  the  guards  or  security 
personnel  that  must  interface  with  the  system. 

Log in/Logout 


A guard  is  admitted  to,  say,  the  primary  guard  control 
station  at  a site  for  his  scheduled  tour  of  duty.  He  would  typi- 
cally greet  the  guard  that  he  was  relieving  and  would  exchange 
verbal  comments  about  the  current  site  status  and  any  unusual 
event  that  might  have  occurred  during  the  shift  that  was  ending. 
Assuming  that  no  uncleared  alarms  exist,  the  Digital  Display  Unit 
would  show  the  personal  identity  number  of  the  guard  that  was 
about  to  be  relieved  together  with  the  time  that  he  logged  on 
duty.  By  using  a digital  personal  identity  number  rather  than  a 
name,  the  preparation  of  another  module  of  site  specific  software 
can  be  avoided.  The  display  unit  also  lists  any  malfunctioning 
sensors,  FEDS,  CCTVs , RUs  or  digital  data  links  and  the  time  at 
which  their  failure  was  discovered.  Also  listed  are  any  system 
components  that  are  operating  under  backup  power,  and  CCTV  cam- 
eras and  associated  lights  that  are  on,  and  any  RUs  that  are  in 
an  access  condition.  These  same  items  have  also  been  permanently 
recorded  by  the  logging  printer  as  they  occurred. 
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Figure  15  Digital  Display  After  Login 

In  this  display,  780920  represents  two  digits  each  for 
year,  month,  and  day,  respectively.  0931  is  the  time  that  RU  014 
reported  that  it  had  gone  on  battery  power  and  1158  is  the  time 
that  the  guard  having  personal  identity  number  9172730406  logged 
on  duty.  (For  clarity,  the  identity  of  the  second  guard  is  not 
shown  in  this  illustration.) 


Access 

One  of  the  listings  on  the  Digital  Display  Unit  at  the 
"changing  of  the  guard"  described  above  is  the  indication  that  RU 
014  is  functioning  on  backup  battery  power.  In  the  verbal  ex- 
change between  the  guards,  it  was  noted  that  maintenance  action 
had  been  requested  immediately  after  the  condition  had  been  au- 
tomatically reported  by  the  CSSMRS  and  acknowledged  by  the  guard. 
There  are  green  and  white  lights  on  in  the  Summary  Status 
Display. 

Now  the  maintenance  personnel  arrive  and  present  them- 
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selves  to  the  Security  Officer  who  issues  them  an  electronic  key 
and  authorizes  the  guard  on  duty  to  load  it  for  access  to  RU  014 
with  a valid  time  window  of  20  minutes.  A key  to  the  mechanical 
security  padlock  on  the  door  at  RU  014  is  issued  to  the  guard  pa- 
trol that  will  accompany  the  maintenance  personnel  to  their  des- 
tination . 


The  guard  on  duty  at  the  primary  guard  control  station 
inserts  the  electronic  key  in  the  key  port.  He  sets  the  Two  Di- 
git Code  Lifetime  Thumbswi tches  to  02.  (A  third  digit  is  fixed 
at  zero,  so  the  actual  reading  of  the  switches  is  020,  the 
desired  value  in  minutes) . He  enters  the  value  014  on  the  Ten- 
Digit  Key  Pad  and  confirms  that  it  was  correctly  entered  by  exa- 
mining the  ten-digit  display  of  the  last  value  entered.  Satis- 
fied that  it  has  been  correctly  entered,  he  actuates  the  Code  Key 
Function  Switch.  The  central  computer  generates  a random  eight 
bit  number  that  is  loaded  into  the  electronic  key  and  is  also 
stored  in  a register  for  later  transmission  to  RU  014.  Success- 
ful loading  of  the  electronic  key  is  signaled  by  the  illumination 
of  an  indicator  on  the  key  that  will  stay  on  for  20  minutes  (the 
code  lifetime)  or  until  the  key  is  used,  whichever  occurs  first. 
A new  entry  appears  on  the  Digital  Display  Unit  as  shown  in  Fig- 
ure 16. 
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780920 


09 3 i RU  014  ON  BATTERY  POWER 

1158  9172730406  ON  DUTY 

1304  20  MIN.  ONE  TIME  KEY  LOADED  FOR  014 


Figure  16 


Digital  Display  Loading  Key 
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proceed  to  RU  014  and  upon  arrival  telephone  back  to  the  control 
station  and  notify  the  guard  there  that  they  are  ready  to  enter. 
The  guard  then  enters  014  on  the  Ten-Digit  Key  Pad,  confirms  that 
it  is  correct  using  the  ten-digit  display,  and  actuates  the  Loca- 
tion Select  Function  Switch  followed  by  the  Access  Function 
Switch,  and  tells  the  maintenance  personnel  to  go  on  in.  The  Lo- 
cation Select  Display  shows  the  number  014  and  a yellow  indicator 
at  the  position  of  RU  014  begins  flashing  on  the  Geographical 
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Display  Unit,  and  the  Digital  Display  Unit  appears  as  shown  in 
Figure  17. 


780920 

0931  RU  014  ON  BATTERY  POWER 

1158  9172730406  ON  DUTY 

1304  20  MIN.  ONE  TIME  KEY  LOADED  FOR  014 

1315  KEY  CODE  TRANSMITTED  TO  014 


Figure  17  Digital  Display  After  Transmission  of  Key 

The  1315  entry  is  also  recorded  on  the  logging  printer. 

A few  seconds  later,  the  maintenance  personnel  plug  the 
electronic  key  into  it's  port  at  RU  014,  the  codes  match  and  the 
solenoid  operated  bolt  is  withdrawn  from  its  strike  and  the  door 
can  be  opened.  Back  at  the  primary  guard  control  station,  the 
flashing  light  on  the  Geographical  Display  Panel  goes  to  a steady 
state  of  illumination.  The  yellow  access  indicator  in  the  Status 
Summary  Display  Group  goes  on  and  the  green  indicator  goes  off. 
(This,  as  well  as  the  information  on  the  digital  displays,  ap- 
pears at  both  guard  control  stations) . The  Digital  Display  Unit 
appears  as  shown  in  Figure  18  and  the  1316  entry  is  recorded  on 
the  logging  printer. 
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780920 


0931 

1158 

1316 


RU  014  ON  BATTERY  POWER 


9172730406  ON  DUTY 
ACCESS  014 


Figure  18  Digital  Display  After  Access 


After  a half  hour  or  so  of  work,  the  maintenance  person- 
nel correct  the  equipment  malfunction  at  RU  014.  At  this  time 
the  white  light  in  the  Summary  Status  Display  is  extinguished  and 
the  Digital  Display  Unit  appears  as  in  Figure  19.  The  entry, 
"1350  POWER  RESTORED  RU  014",  is  recorded  on  the  logging  printer. 
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780920 


"\ 

1158  9172730406  ON  DUTY 
1316  ACCESS  014 


Figure  19  Digital  Display  After  Power  Restored 

The  maintenance  personnel  and  their  escort  now  exit  RU 
014,  closing  and  locking  the  door,  and  telephoning  the  guard  to 
advise  him  that  RU  014  can  now  be  secured.  The  guard  confirms 
that  014  still  appears  in  the  Location  Select  Display  (if  it  did 
not,  he  would  enter  it  using  the  Ten-Digit  Key  Pad  and  the  Loca- 
tion Select  function  switch)  and  actuates  the  Secure  function 
switch.  The  yellow  indicator  on  the  Geographical  Display  Panel 
is  extinguished  and  the  yellow  indicator  on  the  Status  Summary 
Display  is  replaced  by  green.  The  entry,  "1358  SITE  SECURE",  is 
recorded  on  the  logging  printer  and  the  digital  display  shown  in 
Figure  20  appears. 
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780920 


Figure  20  Digital  Display,  Site  Secure,  Fully  Operational 
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Summary  Display  indicator  changes  from  green  to  red,  the  outputs 
from  the  CCTV  cameras  covering  perimeter  segment  063  appear  on 
the  screens  of  the  monitor  pair  that  have  not  been  selected  by 
the  Monitor  Pointing  Switch,  and  the  digital  display  is  as  shown 
in  Figure  21.  The  same  entry  is  recorded  on  the  logging  printer. 
The  Acknowledge  Function  Switch  lamp  is  flashing  on  and  off. 
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1733  ALARM  SEGMENT  063  E-FIELD  MAID/MILES 
ACKNOWLEDGE 


Figure  21  Digital  Display  When  Alarm  Occurs 

The  guard  at  the  primary  station  operates  his  Monitor 
Pointing  Switch  to  select  the  monitor  pair  that  is  displaying  the 
segment  063  scenes.  The  audible  alarm  is  silenced  and  the  flash- 
ing light  in  the  Acknowledge  switch  is  extinguished.  The  indica- 
tor associated  with  the  selected  monitor  pair  displays  "063"  and 
"NO  CONTROLS".  The  digital  display  changes  to  that  shown  in  Fig- 
ure 22  and  the  voice  annunciating  system  announces,  "Alarm,  seg- 
ment zero  six  three,  E-Field,  MAID/MILES,  cover  on  Boundary  Road 
and  Center  Road".  The  flashing  red  lamp  on  the  Geographical 
Display  Panel  is  now  on  steady  at  segment  063.  No  new  entries 
are  recorded  by  the  logging  printer. 
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1733  ALARM  SEGMENT  063 
COVER  ON  BOUNDARY 


E-FIELD  MAID/MILES 
ROAD  AND  CENTER  ROAD 


Figure  22  Digital  Display  After  Alarm  Acknowledgement 


When  the  alarm  condition  occurred  and 
cameras  were  automatically  patched  in  to 
Guard  Control  Stations,  the  deer  that  caused 
mediately  seen  and  identified.  The  guard  at 
then  advised  two  of  his  roving  patrols  by  rad 
deer  in  segment  063  and  directed  one  of  them 
ment  via  Center  Road  and  the  other  to  approac 
and  see  if  they  could  drive  it  back  over  the 
site.  As  they  converged  on  the  target  secto 
into  sector  064  alarming  the  E-Field  Sensor 
jumping  the  outer  fence  and  leaving. 
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illuminated  at  sector  064  on  the  Geo- 
the  primary  station.  The  Digital 


Display  Unit  carried  the  messages  shown  in  Figure  23.  The  log- 
ging printer  recorded  the  following  entry,  "1736  ALARM  SEGMENT 
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064  E-FIELD" . 


780920 

1733  ALARM  SEGMENT  063  E-FIELD  MAID/MILES 
COVER  ON  BOUNDARY  ROAD  AND  CENTER  ROAD 

1736  MORE  ALARMS 
ACKNOWLEDGE 


Figure  23 


Digital  Display  After  Second  Alarm 
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When  the  guard  observes  the  deer  finally  jump  over  the 
he  actuates  the  Secure  and  TV  OFF  Function  Switches, 
is  controls  are  attached  to  RU  063  by  the  Monitor  Pointing 
and  since  the  alarm  causing  conditions  now  no  longer  ex- 
that  segment,  the  red  light  on  the  Geographical  Display 
that  is  associated  with  segment  063  is  extinguished  by  the 
" command  and  the  CCTV  cameras  at  063  are  turned  off.  The 
printer  record  the  following  entry,  "1737  SEGMENT  063 
, and  the  digital  display  shows  the  entry  "1736  'MORE 
. The  Digital  Display  Unit  appears  as  shown  in  Figure  24. 
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1736  MORE  ALARMS 


Figure  24  Digital  Display  With  More  Alarms 

The  guard  then  actuates  his  Monitor  Pointing  Switch  to 
the  alternate  position,  attaching  his  controls  to  RU  064  and 
bringing  that  alarm  out  of  the  queue.  The  number  064  replaces 
063  in  the  Location  Select  Display.  The  digital  display  immedi- 
ately carries  the  message  shown  in  Figure  25  and  this  same  mes- 
sage is  annunciated  by  the  voice  system. 
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1736  ALARM  SEGMENT  064  E-FIELD 

COVER  ON  BOUNDARY  ROAD  AND  EAST  ROAD 


Figure  25  Display  of  Second  Alarm  Details 


The  guard  now  actuates  the  Secure  Function  Switch.  The 
remaining  red  light  on  the  Geographical  Display  Panel  is  ex- 
tinguished and  the  red  indicator  on  the  Summary  Status  Indicator 
is  replaced  by  green.  The  digital  display  reverts  to  that  shown 
in  Figure  20  and  on  the  logging  printer  the  entry,  "1738  SITE 
SECURE",  is  recorded.  He  actuates  the  TV  OFF  Function  Switch  and 
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to  an  alarm 


It  should  be  noted  that  all  alarms  except  those 
might  have  been  screened  out  by  the  Environmental  Correl 
Module  are  accepted  by  the  CU  as  actual  alarms.  Momentary  a 
are  assessed,  recorded,  resolved  and  secured  with  the  same 
gence  that  is  applied  to  continuing  alarms.  The  supressio 
continuing  alarms  that  result  from  sensor  malfunction  is  a 
plished  through  failure  of  the  sensor  to  properly  respond  to 
sensor  test  command. 
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Flow  Diagram  of  Alarm 


Response 
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LIST  OF  ACRONYMS 


ADCCP  Advanced  Data  Communication  Control  Procedures 

ASCII  American  Standard  Code  for  Information  Interchange 

CATV  Community  Antenna  Television 

CCLW  Crossfire  Communications  Loss  Word 

CCT V Closed  Circuit  Television 

CCW  Counterclockwise 

CLW  Communications  Loss  Word 

CM  Communications  Microprocessor 

CMOS  Complimentary  Metal  Oxide  Semiconductor 

CPU  Central  Processing  Unit 

CSSMRS  Computerized  Site  Security  Monitor  and  Response  System 

CU  Central  Unit 

CW  Clockwise 

DDU  Digital  Display  Unit 

DMA  Direct  Memory  Access 

DPENA  Data  Port  Enable 

FCS  Frame  Check  Sequence 

FDS  Fence  Disturbance  Sensor 

FEDS  Forced  Entry  Deterrent  Systems 

FIFO  First  In  - First  Out 

GCS  Guard  Control  Station 

GDU  Geographical  Display  Unit 

GOP  Guard  Operating  Panel 

GOPI  Guard  Operating  Panel  Indicator 

HQ  Headquarters 

I/O  Input/Output 

LSI  Large  Scale  Integration 

MSG  Message 

OS  Operating  System 

PPW  Poll  Period  Word 

RAM  Random  Access  Memory 

RDA  Receiver  Data  Available 

ROM  Read  Only  Memory 

RSA  Receiver  Status  Available 

RU  Remote  Unit 

TBMT  Transmitter  Buffer  Empty 

TEOM  Transmit  End  of  Message 

TSA  Transmitter  Status  Available 

TV  Television 

USYNRT  Universal  Synchronous  Receiver/Transmitter 
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APPENDIX  1 


Notes  on  ADCCP  Communications  Interfaces 
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The  primary  function  of  the  USYNRT  is  to  take  parallel  data 
(bytes)  from  the  computer  and  present  it  in  serial  form  to  the 
communications  line  along  with  beginning  and  end  of  frame  flags 
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Other  control  lines  of  interest  are: 

RDA  Receiver  Data  Available 

RSA  Receiver  Status  Available 

TBMT  Transmitter  Buffer  Empty 

TSA  Transmiter  Status  Available 

DPENA  Data  Port  Enable 


DPENA 

is  an  input  wh 
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en  computer  and 
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RDA 

i s 

a s- 

serted  when  a cha 

racter  has 

been  r 

eceived 
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er  error 
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register  is 
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i ton . 

When 

functioning  as 

a transmitter  the 

chip 

puts 

the  beg 

inning- 

of-frame  flag  on  the  serial  line  then  serializes  the  address, 
control,  and  information  bytes  as  they  are  transferred  from  the 
computer.  Transmission  is  completely  transparent,  i.e.,  no  code 
combinations  are  forbidden.  To  avoid  confusion  between  data  and 
flags,  automatic  "bit  stuffing"  takes  place  on  a byte  that  has 
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more  than  five  adjacent  ones.  (A  flag  is  01111110).  The  extra 
zero  bits  inserted  by  the  bit  stuffing  are  automatically  stripped 
at  the  receiver  end.  After  the  computer  has  sent  the  last  byte 
it  must  set  the  Transmit  End  of  Message  (TEOM)  bit  in  the  control 
register.  The  chip  then  sends  a 16-bit  CRC  down  the  line  fol- 
lowed by  the  end-of-frame  flag.  After  the  flag  the  line  goes 
idle  if  TEOM  is  cleared;  if  not  cleared  the  chip  sends  continuous 
f 1 ag  s . 

When  functioning  as  a receiver  the  chip  monitors  the  serial  input 
line  and  searches  for  a beg  inn ing-of- frame  flag.  When  the  first 
non-flag  byte  has  arrived  and  is  transferred  to  the  data  buffer 
the  RDA  control  line  is  asserted.  The  computer  must  read  the 
contents  of  the  buffer;  failure  to  do  so  before  the  next  byte  ar- 
rives results  in  an  overrun  condition.  An  overrun  will  cause  the 
assertion  of  RSA.  RSA  is  also  asserted  after  the  final  flag  to 
indicate  end  of  message.  At  this  time  the  computer  must  read  the 
receiver  status  register  to  ascertain  whether  or  not  the  frame 
was  received  without  error.  This  fact  is  indicated  by  a single 
bit  in  the  status  register;  the  CRC  code  itself  is  not  presented 
to  the  computer . 

The  USYNRT  may  be  set  to  Secondary  Address  Mode  by  writing  a bit 
into  the  mode  control  register  and  by  writing  the  station  address 
into  the  secondary  address  register.  Now  the  RDA  line  will  not 
be  asserted  until  a message  is  received  with  an  address  field 
that  matches  the  station  address;  all  other  frames  will  be  ig- 
nored . 

Interface  to  a microprocessor 

Since  the  USYNRT  contains  several  registers  plus  a number  of  con- 
trol lines  that  must  be  interfaced  it  is  treated  not  as  one  dev- 
ice but  as  13  devices  for  programming  purposes.  However,  the  mi- 
croprocessor architecture  allows  for  direct  selection  of  only  7 
input  and  7 output  devices.  More  devices  can  be  addressed  by 
building  a multi-level  system  in  which  one  I/O  intruction  selects 
a device  selector,  etc.  Rather  than  construct  such  a complex 
system  all  the  USYNRT  registers  and  lines  were  interfaced  using 
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To  alleviate  some  of  the  speed  restriction  inherent  in  programmed 
I/O,  the  interface  was  expanded  to  permit  data  transfers  via 
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direct  memory  access  (DMA).  Only  the  receive  and  transmit  data 
buffers  are  interfaced  this  way;  other  functions  remain  entirely 
under  program  control.  For  DMA  transfers  the  program  initializes 
the  appropriate  CPU  register  (RO)  for  a memory  pointer,  starts 
the  USYNRT  with  programmed  I/O,  then  issues  a DMA  Permit  command 
to  the  interface.  The  chip  address  lines  are  then  forced  to  the 
proper  state  for  the  transfer  and  the  control  handshaking  takes 
place  between  RDA  and  TBMT  with  the  DMA  state  signal  from  the 
CPU;  thus,  bytes  are  transferred  to/from  memory  without  execution 
of  computer  instructions  once  the  process  has  started. 

The  end-of-frame  procedure  remains  under  program  control.  For 
receiving,  this  means  the  program  must  look  for  the  assertion  of 
the  RSA  line,  indicating  end  or  error.  For  transmitting,  the 
software  must  monitor  the  contents  of  RO  in  order  to  determine 
when  to  terminate  the  message.  When  the  last  byte  has  been 
transferred,  the  DMA  channel  must  be  disabled  and  end-of- message 
procedure  completed  under  program  control. 

Interface  to  another  microprocessor. 

The  USYNRT  interface  to  the  second  microprocessor  is  similar  to 
that  of  the  first  in  that  each  register  on  the  chip  is  treated  as 
a separate  I/O  device;  however,  since  the  second  microprocessor 
is  able  to  directly  address  256  devices,  the  registers  are  inter- 
faced as  conventional  I/O  ports.  The  register  address  lines  and 
the  read/write  line  of  the  chip  are  connected  to  4 of  the  CPU  ad- 
dress bus  lines.  This  means  that  read  and  write  operations  for  a 
given  register  have  separate  port  addresses. 


The  bidirectional  data  bus  of  the  USYNRT  is  separated  into  two 
busses  in  this  interface  in  order  to  mate  with  the  bus  structure 
provided  by  the  boards  on  which  the  computer  resides. 


A unique  feature  of  this  interface  is  that  it  ut 
tored  interrupt  feature  of  the  second  microproc 
used  control  outputs  of  the  USYNRT,  namely  RDA, 
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Details  of  FEDS  Safe/Arm  Provisions 


Figure  A-l  shows 
reliably  fire  the  FEDS 
against  unintended  firing 
to  the  protected  area. 


schematically  the  circuitry  required  to 
and  at  the  same  time  provide  protection 
during  the  course  of  authorized  access 
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Two  of  its  three  poles  carry  current  to  the  squibs;  the  third  is 
used  to  actuate  a time  delay  relay  which  will  be  explained  later. 

The  Electrical  Safe/Arm  switch  is  a heavy  duty  relay  with 
a single  set  of  contacts  in  series  between  the  positive  terminal 
of  the  power  source  and  the  Manual  Safe/Arm  switch.  It  is  ac- 
tuated by  a solid-state  driver  circuit  but  the  common  terminal  of 
the  driver  circuit  is  wired  to  ground  through  the  Manual  Safe/Arm 
switch,  inhibiting  operation  while  the  manual  switch  is  in  its 
Safe  position.  The  driver  is  preceded  by  a logical  AND  gate 
which  demands  that  the  following  conditions  be  met  before  the  re- 
lay can  move  to  the  Arm  position:  computer  command  to  arm, 

30-second  timer  not  running,  time  delay  relay  released,  and  over- 
ride switch  closed.  How  these  conditions  are  met  or  not  met  can 
be  best  explained  by  going  through  typical  operational  sequences: 


Normal  entry  and  exit Electrical  Safe/Arm  is  in  Safe 

position,  Manual  Safe/  Arm  in  Arm.  The  first  event  for  author- 
ized access  is  the  occurrence  of  a "match"  signal  from  the  elec- 
tronic lock;  this  signal  is  used  to  actuate  the  lock  bolt 
solenoid,  allowing  the  door  to  open.  The  first  act  of  the  person 
entering  the  magazine  is  to  move  the  Manual  Safe/Arm  switch  to 
Safe.  This  action  causes  the  key  match  signal  to  clear  and  the 
bolt  solenoid  to  de-energize.  The  last  personnel  action  before 
leaving  the  magazine  is  to  switch  Manual  Safe/Arm  back  to  Arm. 
This  will  start  the  30-second  timer  which  in  turn  actuates  the 
bolt  solenoid,  permitting  the  door  to  be  closed.  This  operation 
of  the  bolt  serves  as  a reminder  to  restore  Manual  Safe/Arm  to 
Arm;  if  this  step  is  omitted  the  door  cannot  be  closed. 


Failure  during  entry In  the  above  procedure  it  is  as- 
sumed that  the  Electrical  Safe/Arm  relay  remains  in  the  Safe  po- 
sition. It  is  possible  however,  that  communications  between  the 

RU  and  CU  could  fail  between  the  time  the  door  was  opened  and  the 
time  that  the  Manual  switch  was  set  to  Safe.  If  this  happened, 
the  RU,  now  in  autonomous  mode,  would  likely  command  FEDS  to  fire 
since  the  select  sensor  group  would  most  certainly  be  in  an  alarm 
state.  It  is  necessary  then  to  delay  the  effect  of  the  computer 

command  and  warn  personnel  of  the  failure.  The  presence  of  the 

key  match  signal  AND  the  computer  command  to  Arm  starts  the 
30-second  timer  mentioned  above.  A signal  from  this  timer  is 
used  to  inhibit  actuation  of  the  Electrical  Safe/Arm  switch  and 
will  cause  a klaxon  or  loud  horn  to  sound.  During  this  30-second 
period  the  person  entering  may  (a)  place  the  Manual  Safe/Arm 
switch  to  Safe  or  ( b)  retreat  and  close  the  door,  removing  the 
alarm  causing  conditions.  If  he  chooses  (a) , the  lock  bolt  will 
be  released  and  key  match  signal  cleared  as  described  above.  For 
case  ( b)  the  expiration  of  a three-minute  timer,  started  when  the 
lock  was  opened,  will  insure  that  the  bolt  is  eventually  released 
and  the  lock  cleared. 
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Failure  during  exit If  the  communications  failure  oc- 

curs between  the  time  of  Manual  Arm  and  actual  exit,  a similar 
personnel  hazard  exists.  Again  the  30-second  timer  will  be  used 
to  delay  Electrical  Safe/Arm  actuation.  In  this  case  the  timer 
is  started  when  Manual  Safe/Arm  is  moved  to  Arm.  Unfortunately, 
this  produces  a dangerous  "race"  condition,  i.e.,  the  FEDS  firing 
circuit  is  complete  for  an  instant  before  the  timer  can  start  its 
inhibiting  action.  The  remedy  for  this  situation  is  a time  delay 
relay  with  d el  ay-on- rel ease  action.  The  operation  is  as  follows: 
the  relay  actuates  immediately  when  the  Manual  Safe/Arm  is  moved 
to  Safe.  From  the  contacts  of  this  relay  another  Electrical 

Safe/Arm  inhibit  signal  is  derived.  When  the  Manual  switch  is 

returned  to  Arm  this  inhibit  signal  remains  until  the  delay  time 
has  expired;  thus,  the  inhibit  is  continuously  present  while  the 
switching  is  taking  place.  The  delay  period  of  the  relay  could 

be  30  seconds  or  less.  Again,  the  klaxon  will  sound  if  the  RU 

tries  to  arm  FEDS  during  this  time. 


Access  by  Mechanical  Override- A third  inhibiting  input 

to  the  Electrical  Safe/Arm  relay  is  derived  from  the  mechanical 
override  switch.  This  normally  closed  switch  opens  when  the 
override  mechanism  has  been  actuated  to  the  end  of  its  cycle. 
The  klaxon  is  also  inhibited  by  this  switch  since  its  warning  is 
not  necessary  for  this  situation.  When  the  override  switch  is 
open  and  Electrical  Safe/Arm  is  Safe,  an  LED  is  illuminated  and  a 
mechanical  flag  appears  outside  the  magazine  indicating  that  it 
is  now  safe  to  enter. 


Computer  controlled  testing  of  the  power  source,  FEDS 
squib  continuity,  and  Sa f e/Arm swi tc h positions  can  be  implemented 
by  voltage  sensing  at  the  three  test  points  shown  on  the  diagram. 
Figure  A-l . For  these  tests  it  is  only  necessary  to  detect  the 
presence  or  absence  of  voltage  at  the  specified  test  point. 
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